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NASDAQ,  the  largest  U.S.  electronic  stock  market,  lists  companies  from  37  countries. 
Their  crucial  trading  and  messaging  systems  use  SQL  Server™  2005  to  handle  up  to 
64,000  transactions  per  second  with  99.999%  uptime*  See  how  at  microsoft.com/bigdata 
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Why  maintain 
separate  SAN 
and  NAS  systems 
when  you  can 
consolidate  both. 


One  system,  multiple  choices.  The  Pillar  Axiom™  enterprise 
storage  system  enables  SAN,  NAS,  or  both  in  a  single  storage 
environment  —  all  managed  through  one  powerful  user  interface. 
The  Pillar  Axiom  lets  you  add  performance  and  capacity  up  to 
300  TB  per  system,  without  multiple  software  license  fees.  And 
because  it's  priced  lower  than  what  many  companies  pay  just  to 
maintain  their  storage  systems,  Pillar  is  the  alternative  you've 
been  looking  for. 

To  learn  how  Pillar  is  giving  customers  a  better  choice  for 
networked  storage,  schedule  a  no-obligation  half-hour  briefing. 
Call  1-877-252-3706  orvisitwww.pillardata.com/both 


Learn  the  truth  about  networked  storage. 
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MAKING  THE  BEST  RIGHT  DECISION 

Business  ethicist  Joseph  Badaracco  explains  how  to  choose  the 
best  course  of  action  when  things  aren't  black  and  white. 

»  www.cio.com/career/boost 


[LEADERSHIP] 

2006  Ones  to  Watch 

I  n  addition  to  the  Ones  to  Watch  coverage  i n 
this  print  edition  of  C/0,  we  have  some  great 
online  exclusives: 

Read  profiles  of  this  year’s  winners. 

Listen  to  podcasts,  inwhich ourhonoreestalkabouttheir  lead¬ 
ership  experiences— including  personal  successesandfailures. 

View  the  survey  results  to  find  out  what  kind  of  training  these 
rising  stars  have  had,  where  they  see  themselves  in  five  years 
and  more. 

»  www.cio.com/awards/otw/2006 


[DISASTER  RESPONSE] 

SURVIVING  WORST-CASE 
I.T.  SCENARIOS 

How  would  you  deal  with  a  hurricane— in 
Pittsburgh?  Got  a  plan  for  avian  flu?  What’s 
your  procedure  for  a  flooded  data  center? 
Battle-hardened  IT  executives  describe  how 
they  prepare  for  their  worst-case  scenarios. 

»  www.cio.com/podcasts/leadership/ 
podcast.html 
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&  OPEN  SOURCE 

A  three-part  series 
explains  why  having  an 
open-source  strategy 
today  is  essential  to 
remaining  competitive  in 
the  decade  ahead. 
blogs.cio.com/blog/30 


THE  ABC’S  OF  DISASTER 
PLANNING 

Disaster  recovery  and  business  continuity 
planning  help  organizations  prepare  for  dis¬ 
ruptive  events.  This  primer  covers  the  basics. 

»  www.cio.com/abcs 
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»  Team  Building:  OnestoWatchwinnerTonyaRuscoe.deputyCIOatHoliday 
£  Retirement,  and  her  CIO,  Steve  McDowell,  discuss  IT  team  building  in  a  CIO  Executive 
Council  teleconference  July  13, 4-5  p.m.  ET.  Open  to  all  IT  practitioners  from  the  CIO 
readership.  Register  at  www.cioexecutivecouncil.com/public/teleconferences. 
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It's  time  for  you  to  lay  off  the  juice 


Does  your  data  center  have  a  power  dependency  problem  that’s  spiraling  out  of  control?  Help  is 
on  the  way  in  the  form  of  energy-efficient  AMD  Opteron™  processors.  Designed  with  AMD 
PowerNow!™  technology,  they  help  reduce  power  consumption  when  full  utilization  is  not 
necessary,  offering  multiple  levels  of  lower  clock  speeds  and  voltages.  And  systems  based  on 
Dual-Core  AMD  Opteron  processors  can  live  within  your  existing  power  and  cooling  envelope, 
delivering  optimal  performance-per-watt.  So  don’t  waste  your  energy  on  anything  less. 


Competitor 


Unlike  our  competitor,  AMD  Opteron'M  processors  con 
deliver  a  43°7o  power  reduction  at  60°7o  utilization. 


Smarter  Choice 


©  2006  Advanced  Micro  Devices,  Irlc.  All  rights  reserved.  AMD,  the  AMD  Arrow  logo,  AMD  Opteron,  and  combinations  thereof,  are  trademarks  of  Advanced  Micro  Devices,  Inc. 


Cost 

Cutting. 

Again? 


Yes.  But  this  time,  you  can 
add  (value)  while  you  sub¬ 
tract  (costs). 
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Forty  percent  of  CIOs  polled  in  a  recent  CIO  Executive  Council  survey  reported 
that  they  were  under  “very  high”  or  “significant”  pressure  to  cut  costs. 

Cutting  costs.  What  a  drag.  Who  got  into  IT— or  any  profession— in  order  to  cut 
costs?  (Except,  perhaps,  for  a  few  weird  accountants,  bankers  and  CFOs.)  Don’t  the 
business  guys  know  that  IT  drives  innovation,  and  innovation  drives  success  and 
competitive  differentiation?  Haven’t  CIOs  been  told  over  and  over  that  the  CEO 
wants  IT  to  contribute  to  the  top  line?  And 
doesn’t  this  tired  tune  about  cost  cutting 
mitigate  all  that?  Everyone  knows  you 
have  to  spend  money  to  make  money. 

In  the  best  of  all  possible  worlds,  every¬ 
one  would  raise  a  glass  to  IT  and  give  it 
all  the  cash  it  needs  to  support  the  busi¬ 
ness.  Unfortunately,  this  is  not  the  best  of 
all  possible  worlds;  this  is  the  real  world. 

And  in  the  real  world  of  business,  cutting  costs  is  the  most  direct  path  toward  profit¬ 
ability.  At  least  for  the  next  quarter. 

It’s  no  use  complaining.  To  quote  Hyman  Roth  in  The  Godfather  Part  II,  like  it  or 
not,  “This  is  the  business  we’ve  chosen.” 

CIOs  have  to  cut  costs,  but  cutting  rashly  is  not  a  long-term  strategy  for  business 
success— or  for  the  CIO’s  job  security.  You  need  to  do  your  trimming  strategically  so 
that  the  cuts  produce  sustainable  value.  If  you  play  your  cards  right,  the  money  you 
save  might  even  come  back  to  you  to  fund  innovation. 

In  “Trimming  for  Dollars,”  on  Page  34,  we  introduce  you  to  CIOs  at  companies  both 
large  and  small  who  have  learned  to  cut  smart.  Their  rules  include: 

1.  Don’t  keep  multiple  systems.  Getting  rid  of  them  reduces  labor,  licensing  and 
hardware  costs,  and  promotes  efficiency  and  improved  service. 

2.  Routinize  the  routine.  Automate  wherever  and  whenever  possible.  This  is 
something  IT  has  always  been  very  good  at,  and  it  saves  labor  costs. 

3.  Examine  service  levels.  Not  everything  needs  to  be  maintained  24/7. 

4.  Only  pay  for  what  you  use.  Are  you  paying  licensing  fees  on  applications  you 
no  longer  use?  Bet  you  are.  Bet  you  don’t  even  know  that  you  are. 

5.  Get  rid  of  old  hardware.  As  United  Technologies  CIO  John  Doucette  says,  “Old 
stuff  is  evil.”  It’s  expensive  to  maintain  and  generates  less  value. 

There  are  lots  of  other  rules,  tips,  stories  and  wisdom  in  “Trimming  for  Dollars,” 
but  I’m  under  “significant”  pressure  to  reduce  the  number  of  words  I  use  in  these  let¬ 
ters.  Type  ain’t  free,  ya  know.  And  brevity  has  a  demonstrable  ROI. 


drosenbaum(a)cio.com 


Cutting  rashly  is  not  a  long¬ 
term  strategy  for  business 
success— or  for  the  CIO's 
job  security.  You  need  to  do 
your  trimming  strategically 
so  that  the  cuts  produce 
sustainable  value. 
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When  information 
comes  together, 
everyone  pulls  in 
the  same  direction, 


Information  lives  at  companies  that  know  how  to  leverage  their  intellectual  capital.  EMC®  Documentum®  content  management 


software  provides  the  industry's  premier  platform  for  capturing,  securing,  managing,  and  accessing  information.  Which  helps 
companies  improve  productivity,  mitigate  risk,  realize  new  revenue,  and  lower  costs  more  than  with  any  other  provider.  To  find  oui 
how  this  leader  in  content  management  can  help  you  do  the  same,  visit  software.EMC.com.  '  f# 
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FROM  THE  PUBLISHER 


Letters,  I  Get  Letters 


And  I  don’t  mean  e-mail 


Scores  of  handwritten  missives  in  response  to  my 
May  1  “E-Mail  Addiction”  Publisher’s  Letter  ( www.cio 
.com/050106)  offering  tips  to  tame  the  e-mail  beast  sent 
me  scampering  to  find  my  tarnished  letter  opener. 

On  a  757  loaded  with  business  executives  glued  to 
their  laptops,  I  certainly  stood  out  in  seat  13C,  slip¬ 
ping  handwritten  letters  out  of  envelopes  and  writ¬ 
ing  a  response  to  each.  On  paper!  With  a  pen!  In  ink! 
Several  passengers  shot  me  a  “haven’t  you  heard  of 
e-mail”  glance  as  they  walked  down  the  aisle. 

“Obtain  some  white  writing  paper  and  a  fountain  pen— like  your  mom  used,” 
wrote  one  reader.  “You’ll  find  yourself  taking  pride  in  your  choice  of  words  and  the 
presentation  of  your  thoughts.  Word  processing  and  e-mail  have  robbed  us  of  our 
ability  to  think,”  he  concluded. 

Another  correspondent  suggested  an  idea  that  has  bounced  around  for 
ages— but  with  an  innovative  twist.  “How  about  charging  people  1  cent  for  each 
e-mail?”  he  wrote.  “[The  money]  could  be  collected  at  the  ISP  level  and  be  used 
for  schools,  charities.”  And  he  kept  going.  He  estimated  the  cost  of  receiving  and 
deleting  unwanted  e-mail  at  2.5  cents  per  e-mail.  Want  to  take  a  bite  out  of  operat¬ 
ing  expenses?  he  asked.  Start  with  the  people  you  employ.  Guesstimate  how  many 
unwanted,  irrelevant  e-mails  they  receive  each  day.  Now  multiply  that  number 
by  the  number  of  employees,  and  then  multiply  that  by  2.5  cents. 

Ouch! 

One  IT  exec  took  the  opportunity  to  point  out  (correctly)  that  CIO  was  guilty  of 
sending  out  unsolicited  survey  research  e-mails,  and  another  suggested  I  should 
hire  a  secretary  to  read  my  e-mail. 

It  took  me  five  hours  to  respond  to  all  the  letters.  And  at  the  end  of  writing  my 
last  note,  I  had  a  serious  case  of  writer’s  cramp. 

But  otherwise,  I  felt  good.  I  felt  my  time  had  been  well  spent,  which  is  a  very  dif¬ 
ferent  sensation  from  what  I  get  after  an  e-mail  session.  E-mail  may  be  quicker,  but 
the  good  old-fashioned  handwritten  note  is  a  surefire  way  to  get  the  attention  of 
those  who  matter  to  you,  both  in  your  business  and  in  your  personal  life. 

So  I  say,  Write  on! 


Gary  Beach,  Publisher 

gbeach(a)cio.com 
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THERE  IS  AN  ALTERNATIVE 

Your  global  IP  carrier  should  set  you  free,  not  hold 
you  down.  It  should  be  nimble  and  flexible  enough 
to  deliver  innovative  IP  solutions  and  superior 
support  yet  expansive  enough  to  offer  the  global 
scope  and  scale  your  business  requires.  Enter 
Global  Crossing.  Our  wholly-owned  global  IP 
network  connects  you  virtually  anywhere  instantly. 
It  works  effortlessly- with  your  current  legacy  system 
and  with  IP>services  yet  to  be  envisioned.  All  with 
he  security,  support  and  control  you'd  expect 
rom  an  industry  leader.  It's  no  vvonder  so  many 
FORTUNE  500  companies  depend  on  us.  Learn 
more  at  www.globalcrosking.com 


. 


CIO 


BUSINESS  TECHNOLOGY  LEADERSHIP 


president  and  ceo  Michael  Friedenberg 
publisher  Gary  J.  Beach 

EDITORIAL 

editor  in  chief  Abbie  Lundberg 
managing  editor  David  Rosenbaum 

EXECUTIVE  EDITORS 

Christopher  Koch,  Elana  Varon 

WASHINGTON  BUREAU  CHIEF 

Allan  Holmes 

TECHNOLOGY  EDITOR 

Christopher  Lindquist 

SENIOR  EDITORS 

Stephanie  Gelston,  Stephanie  Overby 

SENIOR  WRITERS 

Meridith  Levinson,  Susannah  Patton, 
Thomas  Wailgum,  Ben  Worthen 

CONTRIBUTORS 

Lauren  Capotosto,  Susan  Cramm,  Grant  Gross, 
Galen  Gruman,  Mike  Hugos,  Scott  Kirsner,  Sumner 
Lemon,  Robert  McMillan 

EDITORIAL  ADMINISTRATOR 

Jill  Paquette 

DESIGN 

EXECUTIVE  DIRECTOR.  ART  AND  DESIGN 

Mary  Lester 

art  director  Terri  Haas 

ASSOCIATE  ART  DIRECTORS 

Matthew  Goebel,  Chandra  Tallman 

COPY  TEAM 

assistant  managing  editor  Emily  S.  Henderson 

SENIOR  COPY  EDITORS 

Diann  Daniel,  Cathy  Mallen 

EDITORIAL  ASSISTANTS 

Margaret  Locher,  Christopher  Lynch, 
Katherine  Walsh 

ONLINE  EDITORIAL 

TECHNOLOGY  EDITOR 

Christopher  Lindquist 

WEB  EDITORS 

Sandy  Kendall,  Paul  L.  Kerstein 

ONLINE  NEWS  WRITER  Al  SaCCO 
online  copy  editor  David  Gradijan 

RESEARCH 

RESEARCH  DIRECTOR 

Lorraine  Cosgrove  Ware 

RESEARCH  MANAGER 

Carolyn  Johnson 


INTERNATIONAL  DATA  GROUP 
BOARD  CHAIRMAN  Patrick  J.  McGovern 

PRESIDENT,  IDG  communications  Bob  Carngan 


v^BPA 

©CXO  Media  Inc. 


WHAT  WE  COVER,  WHOM  TO  CONTACT 

CIO  CAREER 

ENTERPRISE 

■Skills 

INFRASTRUCTURE 

■  Job  Specs 

■  Enterprise  Architecture,  SOA 

■  Career  Path 

■  Middleware 

■  Professional  Development 

■  Enterprise  Resource  Management  (ERP) 

■  Personal  Development 

■  Supply  ChaiManagement  (SCM) 

Meridith  Levinson,  mlevinson@cio.com 

■  B2B  Electronic  Commerce 

Stephanie  Gelston,  sgelston@cio.com 

LEADERSHIP  &  MANAGEMENT 

Christopher  Koch,  ckoch@cio.com 

Ben  Worthen,  bworthen@cio.com 

■  Governance  &  Alignment 

CUSTOMERS 

■  Budget  Management  &  IT  Value 

■  Customer  Resource  Management  (CRM) 

■  Business  Process  Redesign 

■  B2C  Electronic  Commerce 

■  Management  Methodologies 

■  Business  Intelligence 

■  Project  Management 

Thomas  Wailgum,  twailgum@cio.com 

■  Elana  Varon,  evaron@cio.com 

Christopher  Koch,  ckoch@cio.com 

Susannah  Patton,  spatton@cio.com 

Sourcing  and  Staffing 

TECHNOLOGY 

■  Emerging  Technology 

OUTSOURCING/INSOURCING 

■  Networking  &  Communications 

■  Staffing 

■  Data  Center 

■  Vendor  Management 

■  Storage 

■  Knowledge  Management 

■  Hardware 

Stephanie  Overby,  soverby@cio.com 

Christopher  Lindquist,  clindquist@cio.com 

Stephanie  Gelston,  sgelston@cio.com 

Thomas  Wailgum,  twailgum@cio.com 

RISK  MANAGEMENT 

GOVERNMENT 

■  Security 

■  Privacy 

■  Business  Continuity 

■  Compliance 

Ben  Worthen,  bworthen@cio.com 

Allan  Holmes,  aholmes@cio.com 

Susannah  Patton,  spatton@cio.com 

Allan  Holmes,  aholmes@cio.com 

COLUMN  &  DEPARTMENT  CONTACTS 

Applied  Insight 

Martha  Heller 

Christopher  Koch,  ckoch@cio.com 

Stephanie  Gelston,  sgelston@cio.com 

Book  Reviews 

Michael  Schrage 

Elana  Varon,  evaron@cio.com 

Abbie  Lundberg,  lundberg@cio.com 

By  the  Numbers 

On  the  Move 

Elana  Varon,  evaron@cio.com 

Meridith  Levinson,  mlevinson@cio.com 

Endlines 

Peer  to  Peer 

David  Rosenbaum,  drosenbaum@cio.com 

David  Rosenbaum,  drosenbaum@cio.com 

Essential  Technology 

Susan  Cramm 

Christopher  Lindquist,  clindquist@cio.com 

David  Rosenbaum,  drosenbaum@cio.com 

Forum 

Total  Leadership 

David  Rosenbaum,  drosenbaum@cio.com 

Elana  Varon,  evaron@cio.com 

InBox 

Trendlines 

Cathy  Mallen,  cmallen@cio.com 

Keynote 

David  Rosenbaum,  drosenbaum@cio.com 

Elana  Varon,  evaron@cio.com 

e-mail  letters@cio.com  phone  508  872-0080  fax  508  879-7784  address  CIO  Magazine,  CXO  Media  Inc. , 
492  Old  Connecticut  Path,  P.O.  Box  9208,  Framingham,  MA  01701-9208  website  www.cio.com 
subscriber  services  866  354-1125  •  Fax  847  564-9453  •  E-mail  cio@omeda.com 
reprint  services  Jennifer  Eclipse  •  PARS  International  •  212  221-9595  ext.  237  •  E-mail  jeclipse@parsintl.com 
rights  and  permission  Yadira  Pizarro  •  212  221-9595  ext.  231  •  E-mail  yadira@parsintl.com 


10  JULY  1,  2006  |  www.cio.com 


The  Adaptive  Network 


Designed  to  1 1C -A. 
in  completely  new  ways 


ProCurve’s  strength  is  our  flexibility.  Our  Adaptive  EDGE  Architecture™ 
distributes  intelligence  from  the  core  to  the  edge,  enabling  secure, 
mobile  and  converged  networks  that  adapt  rapidly  and  cost-effectively 
to  your  changing  business  needs.  Add  to  the  equation  our  leading 
position  in  defining  industry  standards,  our  lifetime  product  warranty’ 
and  our  25  years  of  innovation,  and  you  have  a  sound  case  for  making 
ProCurve  the  foundation  of  your  network. 


To  find  out  how  ProCurve  Networking  by  HP  can  improve  your  network, 
go  to  www.hp.com/leam/procurve  or  call  (800)  975-7684,  Ref.  Code  Learn. 


ProCurve  Networking 

HP  Innovation 


*  Lifetime  warranty  applies  to  all  ProCurve  products,  excluding  the  9300m  and  9400sl 
series  routing  switches,  8100fl  series  interconnect  fabric  switches  and  Secure 
Access  700wl  Series,  which  have  a  one-year  warranty  with  extensions  available 
©  2006  Hewlett-Packard  Development  Company,  L.P  Photo:  Alan  Karchmer. 


lose  money 


lose  customers 


WHEN  SERVING  YOUR  CUSTOMERS 


WHATEVER  CHOICE  YOU  MAKE,  YOU’RE  TOAST. 


You  know  that  the  only  way  to  succeed  is  by  serving  your 
customers  better.  But  what  organization  can  afford  to 
throw  endless  dollars  at  improving  the  customer 
experience?  With  RightNow,  you  don’t  have  to  make  a 
deal  with  the  devil. 

RightNow  provides  a  breakthrough  solution  that  lets  you 
enhance  your  customer  experience  while  reducing  costs. 
By  delivering  knowledge  at  every  customer  touchpoint, 
RightNow  helps  you  grow  your  business,  one  customer 


experience  at  a  time.  We’ve  enabled  more  than  a  billion 
successful  customer  interactions  for  our  clients  in  every 
major  industry.  Chances  are,  we  can  help  you,  too. 

Find  out  why  RightNow  leads 
in  client  satisfaction.  Download 
your  free  executive  summary  of 
CRMGuru’s  Solutions  Guide  at 
www.rightnow.com/toast  or  call 
us  toll-free  at  1.877.363.5678. 


RIGHT 

NOW 
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NEW  *  HOT  *  UNEXPECTED 


Chinese 
Scientist 
Fired  Over 

Faked  Chips 

semiconductors  The  firing  in  May  of  a  promi¬ 
nent  Chinese  academic  for  faking  the  development  of  one 
of  China’s  best-known  chips  is  an  embarrassing  setback 
for  a  government  that  sees  high-technology  research  and 
development  as  key  to  the  country’s  economic  future. 

Chen  Jin,  the  dean  of  Shanghai  Jiaotong  University’s 
School  of  Microelectronics,  was  fired  after  a  government 
investigation  determined  he  faked  the  development  of 
the  Hanxin  series  of  digital  signal  processors  (DSPs). 
DSPs  are  a  type  of  processor  used  in  mobile  phones  and 
other  electronic  devices.  Shanghai  Jiaotong  is  considered 
among  the  top  universities  for  science  in  China. 

Originally  hailed  as  a  breakthrough  for  China’s 
chip  industry,  the  first  Hanxin  DSP  was  unveiled  in 
2003.  Subsequently,  Chen  and  his  team  of  research¬ 
ers  introduced  three  more  versions  of  the  chip, 
declaring  that  they  matched  the  performance  and 
capabilities  of  DSPs  available  from  leading  multi¬ 
national  companies.  Continued  on  Page  14 


Chen  Jin  unveils  the  bogus  Hanxin  I  digital  signal  processor  in  2003.  Chen  was  fired 
in  May  as  dean  of  the  Shanghai  Jiaotong  University  Microelectronics  School  after 
he  was  charged  with  faking  the  chips. 


warn 


Nailed  for  Readingthe  Boss’s  E-Mail 


S3® 


security  A  former  U.S. 
government  security  auditor 
was  sentenced  in  May  to  10 
months  of  jail  time  and  home 
confinement  after  admitting  to  snooping 
on  his  supervisor’s  computer. 

Kenneth  Kwak,  of  Chantilly,  Va., 
pleaded  guilty  in  March  to  gaining 
unauthorized  access  to  a  govern¬ 
ment  computer.  He  faced  a  maximum 
sentence  of  five  years  in  prison  and  a 


$250,000  fine. 

In  his  plea,  Kwak  acknowledged 
snooping  in  his  boss’s  files  while  work¬ 
ing  on  securing  U.S.  Department  of 
Education  computer  systems.  Kwak 
then  shared  information  about  his 
supervisor’s  e-mail  and  Internet  habits 
with  fellow  workers,  the  U.S.  Department 
of  Justice  said  in  a  statement. 

Officials  say  there  was  no  evidence  that 
Kwak  made  any  money  from  his  actions. 


In  addition  to  five  months  in  prison 
followed  by  five  months’  home  confine¬ 
ment,  Kwak  must  pay  $40,000  to  the 
government  and  will  serve  a  total  of  three 
years  of  supervised  release. 

"The  prosecution  was  part  of  the  ‘zero 
tolerance  policy'  recently  adopted  by  the 
U.S.  Attorney’s  Office  regarding  intru¬ 
sions  into  U.S.  government  computer 
systems,”  according  to  a  Justice  Depart¬ 
ment  statement.  -Robert  McMillan 
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TRENDLINES 


staffing  Conventional  wisdom  says  the  United  States  must  produce  more 
engineers  or  risk  losing  its  lead  in  innovation  to  India  and  China,  which  graduate 
hundreds  of  thousands  more  engineers  each  year  than  the  United  States  does.  But 
that’s  not  the  problem,  according  to  Forrester  Research:  We  simply  need  better  ones. 

The  race  to  develop  more  engineers  evokes  the  Cold  War  arms  race,  and  it’s 
an  approach  that  won’t  work  for  today’s  global  economy,  says  Navi  Radjou,  a  vice 
president  with  Forrester.  "We  should  not  be  looking  at  China  and  India  and  saying 
they  are  the  new  Japan  and  Russia.  These  countries  are  our  trading  partners.” 

Instead,  to  remain  competitive  the  United  States  must  breed  a  new  type  of  engi¬ 
neer  who  is  as  business-savvy  and  multiculturally  minded  as  he  is  technically  trained, 
says  Radjou.  This  interdisciplinary  engineer  is  what  India  and  China  do  not  yet  have. 

Creating  better  engineers  involves  retraining  current  employees  and  revamp¬ 
ing  university  engineering  curricula  to  reflect  interdisciplinary  thinking.  But  even 
kindergarten  teachers  can  prepare  tiny  innovators  for  engineering  by  encouraging 
collaboration  and  promoting  multicultural  education. 

Nevertheless,  argues  Martin  Jischke,  an  aeronautical  engineer  who  is  president 
of  Purdue  University,  numbers  have  power.  Jischke,  an  adviser  to  President  Bush, 


supports  interdisciplinary  education  but  insists,  “A  nation  that  lacks  a  critical  mass 


of  scientists  and  engineers  will  not  lead  the  world  in  the  decades  ahead.” 

-Lauren  Capotosto 


CUTE,  BUT 
(POTENTIALLY) 

DANGEROUS 

viruses  Family  pictures  are  the  most  common 
type  of  personal  file  stored  by  employees  on  corpo¬ 
rate  networks,  followed  by  digital  music,  movies,  and 
video  clips  and  games,  according  to  a  survey  by  technol¬ 
ogy  reseller  CDW  of  its  corporate  customers. 

Although  62  percent  of  respondents  say  they  don’t  think  personal 
storage  presents  an  immediate  problem,  92  percent  nevertheless  want 
to  ban,  or  at  least  limit,  the  practice. 

Why?  Those  baby  pics  are  an  information  security  threat.  Or  might 
become  one.  Every  day  it’s  getting  easier  to  embed  viruses  and  other 
malware  into  image  files.  Clearly,  respondents  felt  it’s  best  not  to 
take  chances.  -E/ana  Varon 


Continued  from  Page  13 


These  announcements  brought  financial  backing 
and  praise  from  China’s  central  government  for  the 
Hanxin  project,  although  the  government  has  not 
revealed  how  much  money  was  involved.  But  the 
fraud  began  to  unravel  in  December,  when  offi¬ 
cials  received  a  tip  that  Chen  had  faked  the  devel¬ 
opment  of  the  chips,  sparking  an  investigation  by 
the  Ministry  of  Science  and  Technology. 

The  ministry,  along  with  China’s  National  Devel¬ 
opment  and  Reform  Commission,  the  government’s 
highest  administrative  body,  have  now  pulled  their 
funding  for  the  project.  In  addition,  the  Ministry 
of  Education  retracted  both  an  honorary  title  and 
undisclosed  “remunerations”  paid  to  Chen,  accord¬ 
ing  to  China’s  official  Xinhua  News  Agency. 

Chinese  media  reported  that  Chen  had  relabeled 
some  chips  designed  by  Freescale  Semiconductor,  a 
supplier  to  Motorola  and  Cisco,  and  passed  them  off 
as  the  first  version  of  the  Hanxin  chip. 

Investigators  concluded  that  none  of  the  Hanxin 
chips  met  the  specifications  Chen  claimed.  For 
example,  they  discovered  that  the  Hanxin  1  chip 
could  not  play  MP3  files.  They  also  found  that 
the  most  recent  version  of  the  chip,  the  dual-core 
Hanxin  4,  is  based  on  a  single-processor  core  from 
another  company  (which  they  did  not  name)  and 
was  not  developed  by  Chen  and  his  team. 

Academic  and  scientific  fraud  is  an  area  of  grow¬ 
ing  concern  in  China,  where  many  academics  are 
also  businessmen  with  their  own  companies.  That 
includes  Chen,  who  headed  the  company  Shanghai 
Hanxin  Science  &  Technology,  created  to  market  the 
Hanxin  chips.  Companies  and  researchers  in  China 
are  under  pressure  from  the  central  government  to 
keep  pace  with  its  ambitious  economic  development 
goals,  creating  an  environment  in  which  some  aca¬ 
demics  may  misrepresent  the  results  of  their  work 
to  profit  financially  and  professionally. 

On  May  8, 120  Chinese  scientists  and  professors, 
many  of  whom  work  at  universities  in  the  United 
States,  released  a  letter  they  sent  to  Xu  Guanghua, 
China’s  minister  of  science  and  technology,  and 
Lu  Yongxiang,  president  of  the  Chinese  Academy 
of  Sciences.  They  called  on  the  government  to  set 
guidelines  for  dealing  with  scientific  misconduct 
and  to  establish  committees  to  investigate 
allegations  of  fraud. 


-Sumner  Lemon 
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I  have  people  to  support  and  ideas  to  enable.  Look  out  world,  because  my  network  is  coming  through. 

Dynamic  Networking  from  VT&T  gives  Maya  the  IP  solutions  she  needs  to  connect  suppliers,  customers 
and  employees  worldwide.  With  IP  VPNs,  Maya  has  a  cost-effective  networking  solution  that  allows 
users  to  collaborate  no  matter  where  they  are.  And  with  AT&T's  integrated  network  security,  Maya 
knows  she  can  expand  her  endpoints  without  any  increase  in  exposure.  Learn  how  Dynamic  Networking 
can  enable  your  business. 


att.com/networking 
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TRENDLINES 


5  steps 

SUCCESS 

telephony  Sage  Research  recently 
announced  the  winners  of  a  contest  recognizing 
organizations  that  have  successfully  rolled  out  voice 
over  IP  (VoIP)  systems.  Here  is  advice  from  these 
top  practitioners  (which  include  Outrigger  Hotels  & 
Resorts  and  Prudential  Northwest  Properties). 

DO  RESEARCH.  Talk  with  CIOs  who  have  rolled 
out  VoIP  about  their  experiences  before  you  call 
in  vendors. 

SET  CLEAR  EXPECTATIONS.  Explain  to  users  what 
the  new  system  will— and  won't— be  able  to  handle. 
“Nothing  causes  a  problem  like  planning  a  simple 
install  and  discovering  that  the  upper  management 
was  expecting  all  the  bells  and  whistles,”  says  one 
IT  manager. 

KNOW  YOUR  NETWORK.  Gather  all  documenta¬ 
tion  for  your  company’s  network  infrastructure  so  that 
whoever  designs  the  new  system  has  all  the  specifica¬ 
tions  of  the  current  IP  network.  Winners  cited  network 
stress  tests  and  bandwidth  tests  as  important  plan¬ 
ning  tools— and  noted  the  importance  of  upgrading 
network  equipment  before  rolling  out  VoIP  to  guard 
against  failures. 

OUTSOURCE  DEVELOPMENT.  Or  not.  Companies 
that  hired  outsiders  to  design  and  implement  a  VoIP 
system  usually  lacked  the  internal  expertise  to  do 
it  themselves.  Conversely,  organizations  that  kept 
design  and  deployment  in-house  claimed  that  it's  now 
easier  to  support  and  maintain  their  systems  because 
their  staff  knows  the  current  infrastructure  better. 

TRAIN  USERS  BEFORE  THE  ROLLOUT.  Give 
employees  time  to  become  familiar  with  their  new 
phone's  functionality  before  they  actually  need  to  rely 
on  it  for  everyday  work. 

-Thomas  Wailgum 


User-Friendly  IT 
Governance 

management  report  A  new  version  of  Control 
Objectives  for  Information  and  related  Technology  (Cobit),  an  IT 
governance  framework,  is  better  organized  and  provides  clearer 
links  between  IT  processes  and  business  goals-improvements 
that  make  this  tool  something  CIOs  should  seriously  consider 
using,  says  Craig  Symons,  an  analyst  at  Forrester  Research. 

Cobit,  issued  by  the  IT  Governance  Institute  (ITGI),  is  a  set  of 
guidelines  IT  organizations  can  use  to  employ  management  best 
practices,  measure  IT  processes  and  align  IT  with  business  pro¬ 
cesses.  It  has  become  a  recommended  tool  for  IT  departments  to 
measure  their  value  to  the  business,  as  well  as  comply  with  regula¬ 
tions  such  as  Sarbanes-Oxley. 

Yet  Cobit  isn’t  widely  used:  Less  than  half  of  the  CIOs  in  the 
financial  services  industry,  where  Cobit  is  most  popular,  are  even 
aware  of  the  guidelines,  according  to  ITGI’s  own  assessment. 

The  reason?  Since  it  was  created  in  1996,  Cobit  has  expanded  to 
cover  so  many  control  objectives  and  management  guidelines  that 
it's  difficult  to  make  sense  of  them.  A  Cobit  Primer  issued  by  the 
Sandia  National  Laboratories  in  June  2005  lamented:  “Of  the  pos¬ 
sible  objectives,  on  which  do  you  spend  the  effort,  and  which 
do  you  ignore?” 

Answering  that  question 
has  become  much  easier, 

Symons  says,  thanks  to  Cobit 
4.0.  The  authors  have  done 
away  with  Cobit’s  multiple 
volumes,  integrating  the  infor¬ 
mation  about  all  34  high-level 
control  processes,  239  detailed 
control  objectives  and  related 
management  guidelines  into 
one  volume.  What’s  more,  the  material  is  organized  by  how  one 
approaches  projects:  First,  plan  and  organize,  next,  acquire 
and  implement,  then  deliver  and  support,  and  finally,  monitor 
and  evaluate. 

In  addition,  Symons  says,  Cobit  4.0  offers  more  details  on  how 
to  measure  whether  IT  processes  are  delivering  what  the  business 
needs.  For  example,  under  the  heading  “defining  a  strategic  plan”  (one 
of  the  34  high-level  processes),  Cobit  outlines  how  to  do  that:  Engage 
executives  on  alignment  with  business  goals  and  develop  a  proac¬ 
tive  process  to  quantify  business  requirements.  “This  is  much  more 
approachable  and  helpful  than  the  previous  version,"  Symons  says. 

Cobit  4.0  is  available  at  www.itgi.org.  -Allan  Holmes 


Cobit  4.0  details 
how  to  measure 
whether  IT 
processes  are 
delivering  what 
the  business 
needs. 
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WHILE  THE  DEPARTMENT  OF  HOMELAND  SECURITY 
AND  THE  SOFTWARE  ENGINEERING  INSTITUTE  AT 
CARNEGIE  MELLON  UNIVERSITY  REPORT  THAT  MANY 
SECURITY  INCIDENTS  ARE  THE  RESULT  OF  EXPLOITS 
AGAINST  DEFECTS  IN  THE  DESIGN  OR  CODE  OF 
SOFTWARE,  “BOLTING  ON”  PRODUCTS  TO  MAKE  IT 
MORE  DIFFICULT  TO  EXPLOIT  THOSE  DEFECTS  IS  NOT 
THE  WAY  TO  GO.  SOFTWARE  MUST  HAVE  “SECURITY 
QUALITY”  DESIGNED  IN  FROM  THE  START. 


Along  with  outside  threats  and 
insider  fraud,  businesses  today 
must  consider  and  prepare  for  the 
risk  of  malicious  attacks  aimed  at 
software  vulnerabilities.  Business- 
critical  applications,  often  deployed 
in  complex  environments,  must  be 
protected  with  robust  measures  at 
multiple  levels.  Effective  security 
strategies  must  be  holistic  in 
approach,  and  must  be  thought  of 
as  a  process. 

Part  of  that  process  is  selecting  software  applications 
that  are  not  only  robust  but  also  built  by  software  vendors 
with  a  long-term  commitment  to  addressing  security  in 
the  development  stage  and  throughout  a  long  product  life 
cycle.  According  to  the  Department  of  Homeland  Security 
and  the  Carnegie  Mellon  Software  Engineering  Institute: 
“Many  security  incidents  are  the  result  of  exploits  against 
defects  in  the  design  or  code  of  software.  The  approach 
most  commonly  employed  to  address  such  defects  is  to 
attempt  to  retroactively  bolt  on  devices  that  make  it  more 
difficult  for  those  defects  to  be  exploited.  This  is  not  a 
solution  that  gets  to  the  root  cause  of  the  problem  and 
threat.”  1 

While  high-profile  attacks  justifiably  get  a  great  deal 
of  attention,  it’s  equally  important  for  the  industry  to 
take  steps  to  mitigate  the  risk  of  attacks.  While  tools 
like  firewalls  and  antivirus  software  are  key  defensive 
components,  a  more  important  element  in  long-term 
enterprise  security  may  be  software  quality.  Data  from 
the  Mitre  vulnerability  database  (cve.mitre.org)  and 
other  sources  reveal  a  trend  of  increasing  numbers  of 
security  vulnerabilities  in  most  commercial  and  open 
source  software.  The  trend  is  likely  connected  to  the 
increasing  complexity  that  comes  from  putting  more  and 
more  features  in  products,  and  is  unlikely  to  be  reversed 
without  specific,  thoughtful  action  by  vendors. 

While  some  might  argue  that  a  voluntary  inspection 
process,  such  as  that  incorporated  into  the  open  source 
development  model,  is  enough  to  reverse  the  trend,  recent 
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analysis  has  shown  that  argument  to  be  optimistic  at  best 
(see  box  below). 

The  Microsoft®  approach  to  improving  the  fundamental 
security  of  products  revolves  around  a  commitment  to 
change  how  all  products  are  designed,  developed  and 
released.  With  a  now-famous  January  2002  memo  to 
employees,  Bill  Gates  launched  Microsoft  on  a  path 
toward  improving  its  software  development  processes 
with  the  goal  of  reducing  the  number  of  potential 
vulnerabilities,  thus  improving  security  and  overall 
availability.  That  initiative  resulted  in  sweeping  changes 
in  the  company,  including  the  establishment  of  what  is 
now  known  as  the  Trustworthy  Computing  Security 
Development  Lifecycle  (SDL),  a  process  applied  to  all 
Microsoft  products  since  the  program’s  inception  (see  the 
Trustworthy  Computing  SDL  white  paper:  http://msdn. 
microsoft.com/security/sdl). 

SDL  has  revolutionized  the  Microsoft  software 
development  life-cycle  process,  making  security  a 
priority.  SDL  combines  advanced  tools  and  training, 
and  defines  standards  and  processes  at  each  step  of 
the  development  process  to  substantially  increase  the 
assurance  that  vulnerabilities  will  be  detected  and 
corrected  before  a  product  is  offered  to  customers.  The 
process  lowers  risk  and  total  cost  of  ownership  (TCO)  for 
customers  by  reducing  the  number  of  vulnerabilities  in 
software  products,  thus  reducing  the  potential  negative 
impact  of  the  exploitation  of  a  vulnerability.  That,  in  turn, 
increases  the  availability  of  business-critical  software. 

SDL  is  an  augmented  software  development  process 
that  is  now  ingrained  in  Microsoft  development  teams. 
The  idea  is  to  educate  everyone  on  best  practices  that  help 

Not  all  certifications  are  equal 

Windows  Server  2003  with  Windows  XP  clients  and 
open  source  competitor  Novell  SuSE  Linux  Enterprise 
Server  Version  9  have  both  been  certified  at  Common 
Criteria  Evaluation  Assurance  Level  EAL4+,  signifying 
compliance  with  U.S.  and  international  government 
security  specifications.  However,  a  little  known  fact  is  that 
vendors  sometimes  submit  subsets  of  their  full  product 
for  evaluation,  and  may  not  certify  all  of  the  components 
that  customers  typically  want  to  use. 

Dickerson  Technologies  followed  the  security 
configuration  guides  provided  with  each  evaluated 
system  and  attempted  to  build  and  validate  six  common 
server  roles  with  approved  “evaluated  configurations." 

Dickerson  found  the  EAL4+-certified  Windows 
evaluated  configuration  could  be  successfully  deployed 
in  all  six  roles:  directory  server,  certificate  server,  Web 
server,  file  server,  print  server  and  networking  server. 

The  SuSE  server,  by  contrast,  could  be  successfully 
configured  only  as  a  print  serverand  potentially  as  a  file 
server.  The  limitations  were  the  result  of  the  exclusion 
of  key  components  from  the  evaluated  configuration, 
includingthe  Apache  Web  server,  DHCP,  DNS,  and 
OpenLDAP,  among  others. 


ensure  the  code  they  develop  is  secure,  and  to  institute 
checks  and  balances  to  catch  vulnerabilities  before  a 
product  is  released.  From  the  customer’s  perspective,  SDL 
means  the  products  they  deploy  require  fewer  patches 
and  are  more  reliable,  resulting  in  lower  maintenance 
costs,  increased  availability  and  more  manageable 
security  risk. 

QUALITY  FIRST 

At  its  core,  SDL  is  about  producing  what  Microsoft  calls 
“security  quality.”  Customers  deploy  software  to  perform 
one  or  more  specific  functions.  A  database  server,  for 
example,  may  hold  valuable  intellectual  property  as  part  of 
critical  business  infrastructure.  If  that  database  server  has 
fewer  vulnerabilities,  it  will  likely  have  increased  stability, 
making  both  the  risk  management  and  maintenance 
process  easier  and  more  cost-effective.  SQL  Server  2005, 
for  example,  which  was  released  under  the  SDL  process, 
has  had  fewer  vulnerabilities  (zero  so  far,  more  than  six 
months  after  its  release),  than  previous  non-SDL  releases 
compared  with  databases  such  as  Oracle  lOg  or  MySQL. 
The  higher  security  quality  of  SQL  Server  2005  translates 
directly  into  business  benefit. 

GETTING  SECURE 

The  guiding  principles  behind  the  SDL  program  are 
what  Microsoft  calls  SD3+C:  Secure  by  Design,  Secure  by 
Default,  Secure  in  Deployment  and  Communications. 

Secure  by  Design  means  the  software  is  architected 
and  implemented  to  protect  itself  and  the  information  it 
processes,  and  to  resist  attacks. 

Secure  by  Default  recognizes  that,  despite  these  best 
efforts,  vulnerabilities  may  still  exist  in  any  software,  so 
its  default  state  should  be  one  that  promotes  security.  For 
example,  software  should  run  with  the  least  necessary 
privilege,  and  with  services  and  features  that  are  not 
widely  used  turned  off. 

Secure  in  Deployment  refers  to  the  tools  and  guidance 
that  should  accompany  software,  to  help  end  users  and 
administrators  use  it  securely.  It  also  means  updates 
should  be  easy  to  deploy. 

The  Communications  tenet  means  developers  need  to 
be  prepared  to  deal  with  any  vulnerabilities  that  crop  up 
once  their  software  is  deployed.  That  includes  openly  and 
effectively  communicating  to  customers  any  protective 
or  corrective  actions  they  should  take,  such  as  applying 
patches. 

To  ensure  these  principles  are  followed  day  to  day, 
Microsoft  has  instituted  a  number  of  policies  and 
processes  around  SDL.  They  include  mandatory 
application  of  the  SDL  for  any  software  that  is  expected 
to: 

•  Process  personal  or  sensitive  information 

•  Be  used  in  an  enterprise  or  other  organization,  such 
as  academia,  government  and  nonprofits 

•  Be  connected  to  the  Internet  or  other  network 
environment 

Education  continues,  with  annual  requirements  for 
all  developers,  testers,  program  managers  and  even 
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Windows  vs.  Linux:  Comparing  apples  to  apples 


Open  source  proponents  have  for  some  time  touted  the  idea 
that  Linux  is  more  secure  than  Windows,  citing  the  number 
of  vulnerabilities  found  in  Windows.  But  determining  which 
environment  is  more  secure  involves  diving  deeper  into  the 
discussion.  Over  the  past  couple  of  years,  a  number  ofthird 
parties  have  tried  to  unearth  objective  data  on  the  debate, 
with  interesting  results. 

Forrester  Research  found  Microsoft 
responded  more  quickly  once  security 
vulnerabilities  were  publicly  disclosed, 
with  patches  released  in  25  days  on 
average.  That  was  less  than  half  that  of 
the  nearest  competitor,  Red  Hat,  which 
averaged  5?  days. 

[Forrester  also  found  Microsoft  had  the 
fewesttotal  number  of  flaws,  with  128 
for  all  Microsoft  products,  compared  to 
126  with  SuSE  Linux  (since  acquired  by 
Novell),  199  for  MandrakeSoft,  229  for 
Red  Hat  and  28B  for  Debian.  Microsoft 
was  the  only  vendorthat  issued  patches 
for  100  percent  of  the  vulnerabilities 
found  within  the  test  period. 

The  software  security  firm  Security  Innovation  tookthe 
discussion  a  step  further,  seekingto  find  out  how  many  vul¬ 
nerabilities  exist  in  servers  configured  for  certain  functions, 
including  a  Web  server  and  database  server.  One  key  goal  of 
its  study,  which  was  sponsored  by  Microsoft,  was  to  address 
the  common  objection  that  comparing  a  Linux  distribution 
to  Windows  is  not  an  “apples  to  apples”  comparison,  since 

documentation  personnel  whose  software  is  subject  to  the 
SDL.  And  while  security  reviews  are  conducted  at  various 
phases  in  the  development  process,  the  concept  of  a  Final 
Security  Review  (FSR)  was  introduced  in  late  2002. 

“The  SDL  process  does  represent  a  significant 
investment  in  improving  security,”  says  Jeffrey  R.  Jones, 
a  director  of  Microsoft's  Security  Technology  Unit, 

“but  we  believe  the  long-term  return  on  investment 
will  be  well  worth  it.  Improved  security  is  resulting  in 
happier  customers,  making  this  a  win-win  investment  for 
Microsoft  and  our  customers.” 

THE  NUMBERS  STORY 

As  the  SQL  Server  2005  numbers  noted  above 
demonstrate,  the  SDL  is  showing  encouraging  results. 
Windows  Server  2003,  the  first  operating  system 
release  at  Microsoft  developed  under  large  portions  of 
the  SDL  process,  has  seen  far  fewer  security  bulletins 
than  its  predecessor,  Windows®  2000.  In  the  first  year 
after  its  release,  Microsoft  issued  62  security  bulletins 
for  Windows  2000  that  by  today’s  standards  would  be 
considered  “critical”  or  “important.”  Windows  Server 
2003  saw  only  24  in  the  same  time  period,  a  significant 
improvement. 

SQL  Server  and  Exchange  Server  have  seen  similar 


the  Linux  distribution  includes  many  applications  not  typi¬ 
cally  installed  in  a  real-world  scenario.  To  that  end,  Security 
Innovation  compared  a  Linux-Apache-MySQL-PHP  (LAMP) 
stack  with  a  fully  configured  Windows  Web  server. 

It  found  52  vulnerabilities  in  Windows  Server  2003  running 
Microsoft  Internet  Information  Services  6.0,  the  Microsoft  SQL 

Server  2000  database  serverand 
the  ASP.NET  application  platform. 

By  contrast,  Security  innovation 
found  132  vulnerabilities  on  a 
minimally  configured  LAMP  imple¬ 
mentation.  In  the  default  Red  Hat 
configuration,  Security  Innovation 
found  124  vulnerabilities.  In 
terms  of  days  of  risk,  Security 
Innovation  found  the  Windows  so¬ 
lution  averaged  31.3  days  pervul- 
nerability  while  the  minimal  Linux 
platform  averaged  69.6  days  and 
the  default  Linux  platform  21.4 
days  of  risk. 

Security  Innovation’s  tests  of 
database  server  configurations 
produced  similar  results.  It  found  63  vulnerabilities  for  SQL 
Server  2000  on  Windows  Server  2003, 116  fora  minimally 
configured  MySQL  database  on  Red  Hat  Enterprise  Linux  serv¬ 
er,  and  202  for  Red  Hat  Enterprise  Linux  server  running  Oracle 
lOg.  The  Windows  solution  also  came  out  on  top  in  terms  of 
days  of  risk,  with  an  average  of  32  days  vs.  38.2  for  Oracle  on 
Linux  and  61.6  days  for  MySQL  on  Linux. 

results  after  the  SDL  was  applied  to  service  packs  for 
those  products.  The  number  of  security  bulletins  issued 
in  the  24  months  after  the  release  of  SQL  Server  Service 
Pack  2  was  16;  for  Service  Pack  3,  it  was  only  three.  For 
Exchange  Server  2000,  over  the  course  of  18  months, 
the  number  of  bulletins  went  from  eight  for  the  pre-SDL 
service  pack  to  two 

The  analyst  community  is  also  taking  notice. 
“Microsoft  has  proven  time  and  time  again  that  its 
corporate  focus  equates  with  execution  excellence 
somewhere  down  the  line,”  wrote  Jon  Oltsik,  a  security 
analyst  with  Enterprise  Strategy  Group,  in  an  Aug.  29, 
2005,  security  brief.  “The  company  is  now  delivering  on 
security  in  a  way  that  sets  it  apart  from  other  software 
companies.” 

THE  CUSTOMER  VIEW 

Customers  are  likewise  seeing  the  improvement  in 
security  quality.  In  a  2005  survey  of  550  IT  managers 
and  C -level  executives,  the  Yankee  Group  reported  a  100 
percent  improvement  in  the  average  Microsoft  security 
marks  vs.  the  same  survey  in  2004. 

Simply  put,  a  reduction  in  software  vulnerabilities 
means  fewer  security  bulletins  and  fewer  patches  to 
apply.  That  translates  to  an  overall  reduction  in  software 
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maintenance  costs  and  TCO. 

A  study  published  in  April  2005  by  Wipro  Technologies 
(and  audited  by  META  Group)  found  that  the  total  annual 
cost  of  patching  Windows  systems  was  less  than  for  open 
source  software  (OSS)  operating  systems,  which  are 
often  touted  as  being  less  costly  and  more  secure  than 
Windows.  The  study  took  into  account  all  the  elements 
that  go  into  the  patching  process,  including  not  only 
the  actual  act  of  patching  a  client  or  server,  but  also 
investment  in  patch  management  tools,  vulnerability 
research  and  monitoring,  and  ongoing  patch  management 
support  costs. 

Wipro  found  annual  costs  for  patching  Windows 
clients,  servers  and  database  servers  to  be  $1,622  per 
system,  or  44  percent  less  than  the  $2,903  annual  tab 
to  patch  comparable  OSS  systems.  “More  importantly, 
individual  Windows  systems  require  roughly  14  hours  per 
year  of  support  effort  versus  32  hours  for  OSS  systems,” 
the  report  says. 

The  Yankee  Group  study,  which  was  published  in 
July  2005,  indicates  the  patching  picture  is  getting  even 
brighter  for  Windows  customers.  “Survey  respondents 
reported  they  have  reduced  the  time  spent  on  applying 
and  distributing  Windows  updates  and  patches  by 
50  percent  to  80  percent  since  Microsoft  went  to  a 
monthly  schedule  of  patch  management  releases  in 
the  fall  of  2004.  Additionally,  the  availability  of  free 
Microsoft  patch  management  utilities  means  there  is  no 
incremental  cost  to  the  user,”  the  report  says.  “Although 
patch  management  issues  have  eased  for  Windows 
networks,  they  are  worsening  for  Linux  servers.  Linux 
IT  administrators  report  they  spend  on  average  15  to  23 
percent  longer— approximately  two  to  five  hours  more  per 
week— on  patch  management  distribution  compared  to 
the  same  period  in  2004.” 

Security  quality  also  has  a  direct  correlation  on 
availability:  Fewer  vulnerabilities  mean  less  security 
risk.  Forrester  Research  sought  to  quantify  the  level 
of  risk  with  an  “all  days  of  risk”  metric,  which  is  the 
number  of  days  between  when  a  security  vulnerability  is 
made  public  and  when  the  first  patch  is  issued.  It  found 
Windows  demonstrated  the  lowest  overall  days  of  risk 
of  all  the  platforms  evaluated  for  the  study,  including 
a  number  of  OSS  systems.  Microsoft  was  also  the  only 
vendor  to  issue  patches  for  all  the  vulnerabilities  found 
during  the  test  period  (see  “Apples  to  Apples,”  previous 
page). 

Recovery  time  is  an  important  consideration.  Here 
again,  the  Yankee  Group  study  found  Windows  fares  well. 
“Windows  servers  recover  approximately  30  percent 
faster  (about  four  hours)  from  security  attacks  than  Linux 
servers,”  to  the  study  reports.  “This  is  mainly  due  to 
Microsoft’s  superior  documentation,  fast  response  time 
and  enhanced  patch  management  services.  It  underscores 
the  need  of  both  Linux  vendors  and  users  to  quickly 
improve  security  documentation.” 


Get  more  online: 

Learn  more  about  Windows 
security  by  reviewing  the  various 
studies  mentioned  in  this  report. 

Forrester  Research:  Is  Linux  More  Secure  Than  Windows? 

http://download.microsoft.com/download/9/c/?/9c?93b?6- 

9eec-4081-98ef-fld0ebfffe9d/LinuxWindowsSecurity.pdf 


Security  Innovation  Database  Server  Role  comparison: 

http://download.microsoft.com/download/l/e/e/lee952f2- 

228?-4cc3-8ccd-03bb62e38e5a/Seclnnovation.pdf 


Security  Innovation  Web  Server  Role  comparison:  http:// 
download. microsoft.com/download/2/c/9/2c93ed64-blal- 
4c8?-9e3b-6920ee38?cda/DB  Role  Security.pdf 


Yankee  Group:  2005  North  American  Linux  and  Windows 
TCO  Comparison  Report,  Part  2  http://download.microsoft. 
com/download/?/8/C/?8C85BFF-F9B8-4130-913F- 
21ADF8F0E1 3  l/AISP-132  53.pdf 


Dickerson  Technologies:  Windows  and  SuSE  Linux 
EAL4+  Workload  Comparison  http://www.microsoft.com/ 
windowsserversystem/facts/analyses/eal4compare.mspx 


Enterprise  Strategy  Group:  Could  Microsoft  Make  Security 
a  Competitive  Differentiator?  http://download.microsoft. 
com/download/?/c/5/?c51c83b-d8?3-40ce-9405- 
?f?9292?eeca/Microsoft  securityaug.pdf 


Think  Security:  Jeff  Jones  Security  Blog  http://blogs.technet. 
com/security 

THE  BOTTOM  LINE 

With  fewer  vulnerabilities  to  patch,  better  tools  for 
patching  them  and  quicker  recovery  from  the  rare 
successful  attack,  it’s  clear  that  Windows  allows  IT  to 
spend  less  time  on  security  maintenance  chores,  leaving 
more  for  strategic  corporate  endeavors. 

Microsoft  understands,  however,  that  achieving  prop* 
security  requires  vigilance,  and  is  a  never-ending  proces 
The  company  is  constantly  revisiting  and  refining  its  SD 
to  ensure  it  meets  new  requirements. 

“Security  quality  is  fundamental  to  every  aspect  of 
our  design,  development  and  engineering  processes,” 
said  Ben  Fathi,  corporate  vice  president  of  the  Microsoft 
Security  Technology  Unit.  “We  are  deeply  committed 
to  innovating  and  refining  our  security  engineering 
practices  to  achieve  and  retain  the  highest  standards  in 
the  industry  on  security  for  our  customers.” 

Microsoft 


1.  (Department  of  Homeland  Security,  https://buildsecurityin. 
us-cert.gov/portal/index.  html#whatsnew) 
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THE  PUNISHMENT 
FOR  LAX  SECURITY: 

Two  Decades  of  Audits 


privacy  Nations  Holding,  a  real 
estate  company  operating  in  44  states, 
must  improve  its  information  security 
practices  and  submit  to  biennial  security 
audits  for  the  next  20  years  under  a  settle¬ 
ment  with  the  Federal  Trade  Commission. 

The  FTC  charged  that  the  company 
had  allowed  a  common  Web  attack  to 
compromise  customer  data,  and  that  its 
Nations  Title  Agency  (NTA)  subsidiary 
had  disposed  of  home-loan  applications 
containing  customers’  personal  data  in  a 
public  Dumpster. 

The  resolution  is  similarto  those  of 
several  cases  the  FTC  has  settled  in  the 
past  couple  of  years,  including  cases 
against  DSW,  a  footwear  retailer,  and  BJ’s 
Wholesale  Club,  in  which  customer  data 
was  compromised.  Data  broker  Choice- 
Point  received  an  even  stiffer  penalty 
in  January— a  $15  million  fine— partly 


because  it  failed  to  tighten  its 
procedures  after  law  enforce¬ 
ment  alerted  the  company  to 
fraudulent  activity. 

“Data  security  has  been  sur¬ 
prisingly  lax  at  a  number  of  com¬ 
panies,"  said  FTC  Chairwoman 
Deborah  Platt  Majoras  in  a  recent  speech, 
adding  that  the  agency  looks  for  “rea¬ 
sonableness,  not  perfection”  in  company 
security  practices.  “The  cases  we’re  bring¬ 
ing  have  not  been  close  calls,”  she  said. 

Nations  Holding  and  NTA  obtain  per¬ 
sonal  consumer  information,  including 
names,  Social  Security  numbers  and 
credit  histories  to  provide  home  purchas¬ 
ing  services  such  as  appraisals  and  title 
insurance. 

Among  the  company’s  security  lapses, 
the  FTC  said,  were  the  failure  to  imple¬ 
ment  "simple,  low-cost,  readily  available” 


defenses  to  common  website  attacks  and 
the  failure  to  implement  “reasonable” 
policies  in  key  areas  such  as  employee 
screening  and  training  or  the  handling  of 
personal  data. 

The  FTC  said  that  in  April  2004,  a 
hacker  used  a  common  Web  attack  to  gain 
access  to  Nations  Holding’s  computer 
network.  The  agency  did  not  specify  the 
type  of  attack.  In  addition,  the  FTC  said,  in 
February  2005,  a  Kansas  City  TV  station 
found  paperwork  containing  custom¬ 
ers’  personal  information  in  a  Dumpster 
outside  the  building.  -Grant  Gross 


company  that’s  been  through  a  high- 
profile  turnaround).  “RadioShack  has 
been  seeding  its  leadership  with  outsid¬ 
ers  who  come  from  forward-thinking, 
contemporary  organizations,”  Ray  says. 
Kinzey,  as  Sam’s  Club’s  VP  of  member¬ 
ship,  executed  a  strategy  to  beef  up  the 
retailer’s  membership  at  a  time  when 
its  numbers  were  dropping. 

In  addition  to  her  Wal-Mart  pedigree, 
Ray  says,  Kinzey’s  business  experi¬ 
ence  impressed  RadioShack.  He  notes 
that  she  worked  in  customer  service, 
accounting,  internal  audit  and  strategy 
development  before  moving  into  IT  and 
then  marketing.  Says  Ray,  “She  can  see 
IT  from  the  perspective  of  the  guys  run¬ 
ning  the  stores,  from  the  perspective  of 
the  merchandisers  and  from  the  per¬ 
spective  of  the  CFO’s  office  because  she’s 
sat  on  their  side  of  the  [desk].” 

-Meridith  Levinson 


New  Blood  for  RadioShack 


on  the  move  In  March, 
RadioShack  hired  Cara  Kinzey  as  its 
senior  VP  of  IT.  Kinzey,  who  joined  the 
Fort  Worth-based  retailer 
from  Sam’s  Club  (a  division 
of  Wal-Mart),  is  the  third 
person  in  13  months  to  hold 
the  top  IT  post. 

Kinzey  replaced  Don 
Vietti,  who  left  his  job  as 
CIO  of  the  consumer  elec¬ 
tronics  retailer  in  February 
to  join  Carlson  Restaurants 
Worldwide  as  its  new  CIO.  Vietti  had 
been  appointed  CIO  a  year  earlier,  upon 
the  retirement  of  then-CIO  Evelyn  Follit. 

The  turnover  at  RadioShack  stems 
from  the  company’s  recent  financial 
challenges  and  the  subsequent  changes 


the  board  has  made  to  top  manage¬ 
ment.  Last  year  was  especially  tumul¬ 
tuous:  RadioShack’s  profits  declined 
21  percent  in  2005.  To 
make  matters  worse,  its 
previous  CEO,  David 
Edmondson,  was  forced 
to  resign  earlier  this  year 
after  the  Fort  Worth  Star- 
Telegram  revealed  that  he 
had  lied  about  his  college 
degree  on  his  resume. 
Breck  Ray,  president 
of  executive  search  firm  Ray  Partners, 
which  recruited  Kinzey  to  RadioShack, 
says  Kinzey’s  hire  is  part  of  an  effort  to 
bring  new  blood  into  the  organization 
(current  CEO  Claire  Babrowski  joined 
RadioShack  from  McDonald’s,  another 


CARA  KINZEY 


CIO.COm  Read  Meridith  Levinson’s  MOVERS  AND  SHAKERS  blog  for  the  latest  moves.  Find  it  at  blogs.cio.com. 
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Cost-effective  Documents:  On  Time,  Every  Time 

Kyocera  printers  deliver  the  best  of  both  worlds:  award-winning  reliability  and  proven 
performance  along  with  virtually  the  lowest  total  cost  of  ownership  in  the  industry.  And,  our 
full  range  of  printers  and  MFPs  give  your  business  outstanding  document  solutions  using 
advanced  technology  that  makes  document  imaging  simple  and  more  productive.  In  fact, 
our  online  TCO  Tracker*  tool  allows  you  to  calculate  what  you'd  save  by  switching  from 
your  current  printer  to  an  equivalent  Kyocera  model. 

That's  the  power  of  People  Friendly.  Learn  more:  www.kyoceramita.com 

The  New  Value  Frontier 

rgKyocERa 


Low  in  total  cost. 


"#1  Copier/Multifunction  Product  in  Overall 
Customer  Satisfaction  Among  Business  Users" 

-  According  to  J.  D.  Power  and  Associates 


High  in  reliability. 
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KYOCERA  MITA  CORPORATION.  KYOCERA  MITA  AMERICA,  INC.  ©2006  Kyocera  Mita  Corporation.  “People  Friendly,”  “The  New  Value  Frontier,"  the  Kyocera  “smile”  and  the  Kyocera  logo  are  trademarks  of  Kyocera.  ‘Source:  Current  Analysis,  Inc 


The  intricacies 
of  free  and 
open-source 
software  licenses 
require  an  honest 
conversation 
between  you 
and  your  legal 
department 


Dirty  Code,  Licenses 
and  Open  Source 

BY  CHRISTOPHER  LINDQUIST 

OPEN  SOURCE  |  Karen  Copenhaver,  a  partner  at  law  firm  Choate,  Hall  &  Stewart, 
tells  a  story  about  running  a  seminar  for  a  large  company.  The  goal  of  the  seminar  was  to 
make  it  clear  that  software  developers  had  a  responsibility  to  abide  by  their  company’s 
guidelines  surrounding  the  use  of  open-source,  free  and  other  third-party  code. 

Copenhaver  thought  it  went  well.  Then  the  development  group’s  manager  came  up  to 
her  and  said,  “You  know,  these  fellows  can’t  get  everything  they  need  to  get  done  every 
day  and  worry  about  all  of  this  stuff.” 

The  manager’s  words  lie  at  the  core  of  an  issue  that  affects  countless  development 
departments  around  the  globe  today.  Faced  with  shrunken  budgets,  tight  deadlines,  the 
fear  of  jobs  being  shipped  off  to  the  lowest  bidder  and  expanding  demands  for  ever-more- 
complicated  software,  programmers  are  tempted  to  grab  bits,  pieces  and  even  large  bites 
of  code  from  various  third-party  sources  in  order  to  get  things  done  more  quickly. 

The  consequences  of  this  (to  be  kind)  borrowing  can  be  anodyne;  that  is,  no  one  ever 
notices  the  code,  the  product  ships  (either  externally  or  internally),  and  life  goes  on.  Or  the 
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.INFRASTRUCTURE  LOG 

_DAY  49:  Things  are  out  of  control.  Our  system  is 
just  not  secure,  flexible  or  reliable  enough.  Gil 
bought  some  “infrastructure  bloodhounds”  online.  He 
says  they  can  sniff  out  any  problem. 

_DAY  50:  They  can’t.  But  IBM  Tivoli  Express  middleware 
can.  It’s  a  series  of  I.T.  management  solutions  designed 
and  priced  for  mid-sized  businesses.  Secure,  boosts 
uptime,  and  protects  our  data  with  automated  backups. 
We  even  got  help  customizing  and  implementing  it. 

_DAY  52:  Remind  Gil:  Bloodhounds  not  as  good  at  sniffing 
out  problems  as  they  are  at  chewing  Ethernet  cables. 


♦V,  *r  <  ■*.  . 
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Tivoli.  Express 


Get  the  Guide  to  simple,  fast,  secure  I.T.  Management  at: 

IBM.COM/TAKEBACKCONTROL/SIMPLE 
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essential  technology 


consequences  can  be  catastrophic.  Dirty 
code,  according  to  intellectual  property 
lawyers,  has  led  to  expensive  delays  dur¬ 
ing  many  mergers  and  acquisitions.  And 
thanks  to  the  efforts  of  a  single  program¬ 
mer— Linux  kernel  contributor  Harald 
Welte— at  least  100  companies  have  been 
forced  either  to  remove  or  release  as  open- 
source  various  pieces  of  GPL  code  that 
they  borrowed  without  properly  comply¬ 
ing  with  the  license. 

At  least  100 
companies  have 
been  forced 
either  to  remove 
or  release  as 
open  source 
various  pieces 
of  GPL  code  that 
they  borrowed 
without  properly 
complyingwith 
the  license. 

It  doesn’t  have  to  be  this  way.  Compa¬ 
nies  can  avoid  problems  resulting  from 
the  use  of  open-source  code.  Legal  experts 
we  spoke  with  offered  numerous  tips  and 
tactics  for  maintaining  the  flexibility  nec¬ 
essary  to  take  advantage  of  this  important 
tool  in  the  software  developer’s  box  while 
limiting  the  risk. 

Assume  You’ll  Get  Caught 

Copy  some  code,  change  the  variables, 
tweak  the  white  space....  Who’ll  ever 
know?  Perhaps  at  one  time  there  wasn’t 
much  chance  that  anyone  would  iden¬ 
tify  code  that  had  been  illicitly  lifted 
from  someone  else’s  work.  But  times 
have  changed.  Source-code  compliance 


Know  Your  (Open)  Sources 

Just  because  a  piece  of  code  a  developer  downloaded  off  SourceForge  says  it  is 
released  under  the  Mozilla  Public  License  doesn’t  mean  that  all  that  code  wasn’t 
itself  stolen  from  someplace  else.  (In  the  Linksys  router  case,  for  instance,  Linksys 
reportedly  bought  chips  from  Broadcom,  which  in  turn  received  firmware  from 
overseas  third  parties— making  it  difficult  to  clearly  define  what  Linksys  should  have 
known  about  its  code.) 

For  that  reason,  experts  say  it's  worth  trying  to  get  the  code  you  use  from  trusted 
sources.  The  people  behind  larger,  more  public  open-source  and  free  software 
projects  often  claim  to  be  very  careful  about  who  they  let  contribute  code  and  how 
thorough  they  are  in  determining  the  origins  of  that  code.  Some  companies  that  deal 
in  open-source  code— including  Red  Hat  and  Hewlett-Packard— offer  indemnifica¬ 
tion  programs  that  could  help  protect  your  company  should  the  code  you're  using  be 
found  to  infringe  on  someone  else’s  intellectual  property  rights.  -C.L. 


tools  from  the  likes  of  Black  Duck  and 
Palamida,  which  can  scan  millions  of 
lines  of  code  and  compare  them  with  huge 
databases  of  known  software,  allow  com¬ 
panies  to  locate  (and  locate  pretty  quickly) 
previously  created  code— even  if  variable 
names  and  white  space  have  been  modi¬ 
fied  by  the  borrower. 

Black  Duck’s  client  list  has  grown  more 
than  300  percent  during  the  past  year 
and  now  includes  11  Fortune  500/Global 
500  companies.  Its  hosted  code  assess¬ 
ment  service,  ProtexIP/OnDemand,  has 
been  downloaded  by  hundreds  of  com¬ 
panies  and  has  been  used  in  more  than 
140  merger  and  acquisition  due  dili¬ 
gence  transactions  totaling  an  estimated 
$9  billion,  according  to  the  company. 
Searches  for  suspicious  code  are  becom¬ 
ing  de  rigueur  during  the  due  diligence 
surrounding  mergers  and  acquisitions. 
The  culture  surrounding  open-source 
and  free  software  has  had  an  impact  as 
well.  Whistle-blowers  have  outed  their 
employers  over  open-source  code  misuse. 
Some  GPL  violations  have  also  been  called 
to  the  attention  of  the  world  by  interested 
users  who  notice  suspiciously  familiar 
behavior  in  commercial  products.  (For 
instance,  network  hardware  maker  Link¬ 
sys,  soon  after  its  2003  purchase  by  Cisco, 
was  famously  inspired  to  release  the  firm¬ 
ware  to  its  WRT54G  router  when  moti¬ 


vated  users  uncovered  that  pieces  of  the 
firmware  were  based  on  Linux.) 

Dedicated  GPL  defender  Welte,  who 
owns  copyrights  on  pieces  of  the  Linux 
firewall  code,  has  used  that  copyright  to 
encourage  (or,  through  suits  brought  in 
German  courts,  force)  more  than  100  com¬ 
panies  either  to  remove  infringing  code 
or  release  their  corporate  source  code  to 
the  public.  The  companies  involved  range 
from  smaller  firms  to  corporate  giants, 
such  as  Asus,  Belkin,  Fujitsu  Siemens  and 
others.  Welte’s  plans  to  create  a  nonprofit 
organization  in  Germany  to  aggressively 
pursue  such  copyright  infringement  may 
help  accelerate  his  efforts. 

“In  our  view,  it  is  necessary  to  raise  pub¬ 
lic  awareness  and  to  make  cases  public,” 
Welte  says.  But,  he  insists,  “this  is  not  a 
witch  hunt  or  some  kind  of  religious  battle. 
It’s  just  making  corporate  users  play  by  the 
rules  when  they  have,  for  whatever  reason, 
overlooked  them.” 

Even  given  all  this,  the  odds  that  you’ll 
get  caught  may  still  be  slim.  However,  as 
open-source  software  finds  its  way  into 
ever-more-critical  systems  inside  your 
company,  the  risk  to  your  company  if  you 
are  caught  has  increased  dramatically. 

Talk  to  the  Lawyers 

What  unusual  patent  provisions  exist  in 
the  Mozilla  Public  License? 
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_DAY  16:  It’s  out  of  control.  It  takes  people  forever 
to  access. . .everything.  Nobody  can  get  anything  done. 

We’re  so  inefficient.  There’s  got  to  be  a  better  way. 

_DAY  17:  Gil  says  he’s  found  one:  aerodynamic 
bodysuits.  He  says  everyone  will  be  able  to  work 
faster  and  better  now. 

_DAY  21:  I’ve  taken  back  control  with  IBM  WebSphere 
Portal.  It  seamlessly  integrates  our  apps,  processes 
and  info.  People  have  what  they  need  to  be  more 
effective.  Now  we  have  a  customizable  interface  that 
puts  everything  at  our  fingertips. 

.Productivity  is  up.  Gil  says  that’s  great,  but  he 
refuses  to  take  off  his  suit. 


WebSphere. 


Portal 


Download  IBM’s  WebSphere  Portal  ROI  Tool  at: 

ibmIom/takebackcontrol/portal 


I  . 

a&i'-  •  ,-v-'  -  ■ 


- 


IBM,  the  IBM  logo  and  WebSpherfere  reggfeered  trademarks  of  International  Business  Machines  Corporation  in  the  United  States  and/or  other  countries.  ©2006  IBM  Corporation.  AH  rights  reserved. 


,..-v-.v 


1  .>7/-. 


'  - 


-  i  - ' 


i  al  technology 


How  far  does  the  GPL  go  to  protect 
derivative  works? 

Heck,  what  is  a  derivative  work? 

Like  it  or  not,  attorneys— not  develop¬ 
ers— are  in  the  best  position  to  answer 
questions  like  these,  particularly  as 
they  pertain  to  your  business  or  to  your 
approach  to  using  open-source  software. 
Getting  your  legal  department  involved 
early  is  the  best  way  to  ensure  against 
running  into  problems  in  the  future.  The 
key  is  to  make  it  clear  up  front  that  open 
source  is  a  critical  piece  of  your  develop¬ 
ment  plans  so  that  the  legal  folks  will  take 
that  into  account. 


Create  Ground  Rules 

While  meeting  with  your  legal  represen¬ 
tation,  it  also  will  pay  to  establish  some 
ground  rules  for  open-source  use.  “Some 
people  used  to  rely  on  a  simple  prohibi¬ 
tion,”  says  Radcliffe.  “That’s  not  realistic.” 
Instead,  he  says,  companies  must  establish 
rules.  In  his  experience,  those  rules  can 
vary  dramatically.  He  knows  of  one  “major 
Silicon  Valley  company,”  for  instance,  that 
has  a  development  agreement  that  refers 
to  open  source  as  “infectious  software.” 
Others,  he  says,  have  developed  entirely 
separate  due  diligence  processes  for  deal¬ 
ing  with  open  source  during  acquisitions. 


Developers  need  to  be  made  - 
aware  of  the  consequences  of  not 
followingthe  rules— not  justforthe 
company,  but  for  themselves  too. 


It  might  seem  easier  to  simply  avoid 
the  hard  questions,  but  doing  so  only 
increases  your  risk.  “It  really  is  incumbent 
on  CIOs  and  other  IT  managers  to  under¬ 
stand  that  this  is  a  real  issue,”  warns  Mark 
Radcliffe,  a  partner  at  DLA  Piper  Rudnick 
Gray  Cary  and  chairman  of  a  committee 
working  to  develop  GPL  3. 

Just  because  you  bring  in  the  lawyers, 
however,  doesn’t  mean  you’ll  get  decisive 
answers  to  all  your  licensing  questions. 
Open-source  case  law  isn’t  a  well-trod¬ 
den  path.  “It  would  be  easier  to  advise 
clients  if  there  was  more  case  law  in  the 
area,”  admits  Ira  Heffan,  an  associate  at 
Goodwin  Procter  who  in  1997  wrote  a  law 
review  article  that  argued  that  the  GNU 
General  Public  License  was  enforceable. 
He  notes,  however,  that  there  have  been 
efforts  to  reach  some  consensus  on  open- 
source  matters,  including  a  so-called  moot 
court  held  in  early  2006  at  the  University 
of  Washington  that  produced  legal  briefs 
and  helped  establish  dialogues  with  some 
federal  circuit  judges  on  various  open- 
source  matters. 


And  he  knows  of  one  company  that  uses 
open  source  internally  but  prohibits  it  in 
products  it  makes  available  to  customers. 

The  key  is  to  give  developers  rules  for 
when  and  how  to  integrate  external  code 
of  any  type  into  their  projects.  “What  is 
very  clear,”  Radcliffe  says,  “is  that  if  the 
people  who  are  actually  doing  the  cod¬ 
ing  don’t  have  direction  and  some  type  of 
enforcement  mechanism,  they’re  going 
to  pull  whatever  they  can  off  the  Internet 
whenever  they  can.” 

Investigate  Your  Code 

While  a  few  years  ago  a  claim  of  “we  didn’t 
know  about  this  open-source  stuff”  might 
have  carried  some  weight  in  court  or  with 
a  potential  (and  now  unpleasantly  sur¬ 
prised)  merger  partner,  that’s  no  longer 


Open-Source  Expertise 


WHY  IS  OPEN  SOURCE  CRITICAL  TO  YOUR 
ENTERPRISE?  Expert  Bernard  Golden  has  the 
answers.  Check  out  his  online  column  at  The 
Open  Source,  blogs.cio.com. 

cio.com 


the  case.  Open-source  products  are  main¬ 
stream  now,  not  esoteric,  and  the  respon¬ 
sible  use  of  code  has  become  a  given. 

Consequently,  legal  experts  say  that  it’s 
important  for  companies  to  have  a  process 
in  place  for  carrying  out  investigations 
into  the  provenance  of  their  code.  Choate’s 
Copenhaver,  who  is  also  a  counsel  for 
Black  Duck,  says  that  companies  should 
establish  a  schedule  for  senior  executives 
to  be  briefed  on  issues  and  possible  reme¬ 
diation  at  a  set  time  after  the  investigation 
is  complete.  The  goal,  she  says,  is  to  keep 
the  company  from  feeling  a  need  to  react 
to  incomplete  findings. 

The  process  also  should  involve  regular 
meetings  with  developers  who  are  found  to 
be  using  free  or  open-source  code  without 
properly  following  licenses,  she  says.  These 
developers  need  to  be  made  aware  of  the 
consequences  of  not  following  the  rules— 
not  just  for  the  company,  but  for  themselves 
too.  “Anyone  who’s  had  the  experience  of 
having  just  finished  something  only  to  have 
to  take  it  all  apart  and  re-QA  it”  will  not  want 
to  repeat  the  experience,  says  Copenhaver. 

And  to  keep  developers  from  feeling  the 
need  to  grab  code  on  the  sly,  management 
needs  to  help  them.  “The  problem  with  the 
fellow  who  says,  ‘These  guys  can’t  get  their 
job  done  and  worry  about  all  this,’  is  that 
he  hasn’t  built  a  structure  to  support  the 
developers  so  they  can  get  their  questions 
answered  quickly,”  says  Copenhaver. 

Getting  those  answers,  she  asserts,  will 
be  a  matter  of  building  trust  between  the 
development  and  legal  staffs.  “What  we 
really  want  to  get  to  is  an  honest  conver¬ 
sation.  If  what  you’re  saying  is,  ‘Just  say 
no,  we  don’t  use  any  of  this  [open-source] 
stuff,’  what  you’re  really  saying  is,  ‘Don’t 
ask,  don’t  tell.’  What  you  need  to  be  say¬ 
ing  instead  is,  ‘We  can  get  an  enormous 
amount  of  leverage  and  competitive 
advantage  by  making  the  best  use  pos¬ 
sible  of  these  available  resources.  But  [we 
need  to  do]  it  fully  understanding  what 
our  compliance  obligations  are.’”  BE] 


Technology  Editor  Christopher  Lindquist  can  be 
reached  at  ctindquist@cio.com. 
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_DAY  35:  Whoa!  Came  in  today  and  found  a  black  hole. 
Information  goes  in  but  doesn’t  come  out.  This  is  bad. 


V 


i  fev.; 


_DAY  36:  The  black  hole  just  sucked  in  three  interns. 
HR  is  not  pleased. 

_DAY  38:  I’ve  taken  back  control  with  IBM  Information 
Management  middleware.  It’s  built  on  open  standards. 
Totally  scalable.  Seamlessly  unites  all  our  critical 
information,  whatever  its  source.  Now  our  info  has 
real  business  value  that  can  help  spur  growth. 


_We  got  everything  back  from  the  black  hole.  Except 
the  interns. 
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Why  Leaders  Fail 

If  you’re  heading  in  the  wrong  direction,  every  step  you  take  will  be  wrong 


Whether  leaders  are  born  or  made,  I  do  not 
know.  What  I  do  know  is  that  if  you  are  a 
leader,  you  feel  your  pulse  quicken  when 
you  see  the  opportunity  to  create  order  from 
chaos  and  rally  people  to  achieve  an  important  goal.  In  such 
situations,  I  find  myself  so  eager  to  charge  in  that  I’m  reminded 
of  the  black  Labrador  retriever  my  family  had  when  I  was  in 
high  school.  Her  name  was  Bebe. 

On  walks  with  Bebe  all  I  had  to  do  was  lift  my  arm  with  a 
ball  in  my  hand  and  she’d  get  so  excited  she  could  hardly  con¬ 
tain  herself.  She  wanted  so  much  to  charge  off  and  retrieve  it. 
Sometimes  I  would  only  pretend  to  throw,  but  Bebe  would  race 
off  anyway,  looking  for  whatever  she  thought  I  had  thrown. 

It’s  good  to  feel  excited  when  an  opportunity  arises  that  calls 
for  your  leadership.  But  I  have  learned  to  make  sure  there  really 
is  a  stick  or  a  ball  out  there  before  I  charge  off.  Experience  has 
taught  me  to  look  at  the  factors  shaping  a  situation  before  I 
leap  in,  particularly  whether  the  strategy  being  employed  is 
right  for  the  goal  I  am  trying  to  accomplish.  For  in  the  service 
of  flawed  strategy,  even  great  leadership  will  fail. 

The  Eager  Leader 

This  lesson  became  apparent  to  me  some  years  ago  when  I  was 
asked  by  a  financial  services  company  to  review  a  high-profile 
system  development  project.  The  company  had  embarked  on 
a  project  to  re-create  a  financial  reporting  system  that  at  the 
time  ran  only  on  its  own  mainframe.  The  goal  was  to  rebuild 
the  system  using  new  software  so  that  it  would  run  on  smaller 
and  less  expensive  servers.  Then  the  company  would  add  new 
features  and  sell  the  system  to  many  of  its  existing  customers, 
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As  a  true  entrepreneur,  you’re  open-minded.  You  see  things  optimistically.  And  so  increase  your 
chances  for  success.  To  help  you  realize  your  full  potential  and  build  confidence  in  your  business, 
Equant,  France  Telecom  and  Orange  have  joined  forces  under  Orange  Business  Services, 
opening  up  new  opportunities 
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as  well  as  new  customers. 

But  there  were  problems.  The  reporting  logic  used  by  the 
legacy  system  was  not  properly  documented,  so  it  was  hard 
to  re-create  it  in  the  new  system.  Also,  the  new  development 
software  was  complex  and  required  a  lot  of  user  training. 

The  first  release  of  the  new  system  often  ran  very  slowly. 
It  took  15  to  20  minutes  to  run  some  important  reports.  And 
customers  had  questions  about  the  accuracy  of  some  of  the 
report  calculations.  Those  customers  who  saw  the  first  release 
made  it  clear  that  these  problems 
had  to  be  fixed. 

After  a  two-week  assessment 
of  the  situation,  I  made  my  recom¬ 
mendations.  I  advised  that  the  com¬ 
pany  organize  the  project  using 
rigorous  project  management  and 
that  it  adopt  a  more  specific  set  of 

system  development  objectives.  Working  with  the  develop¬ 
ment  team  leaders,  I  used  these  objectives  to  put  together  a 
high-level  plan  showing  the  tasks,  time  frames  and  budgets 
needed  to  finish  the  system. 

My  recommendations  also  addressed  problems  the  com¬ 
pany  was  having  with  the  development  software.  This  was  the 
first  time  the  software  had  been  used  for  such  a  large  system. 
Not  only  that,  but  the  company’s  development  teams  were  not 
fully  trained.  I  recommended  that  the  software  vendor  send  its 
experts  to  work  onsite  with  the  financial  services  company’s 
development  teams. 

The  senior  managers 
of  the  company  were  so 
pleased  that  the  COO  asked 
me  on  the  spot  to  lead  the 
project.  I  felt  the  adrenaline 
rush.  “Yes!”  I  thought,  “I  can 
whip  this  project  into  shape. 
I’ll  show  them  what  a  real  leader  can  do.”  The  company  needed 
to  have  its  system  ready  to  demonstrate  at  an  industry  trade 
show  in  three  months.  I  charged  in  to  make  it  happen. 

What  I  Did  Right 

I  set  up  a  project  office  and  applied  a  rigorous  management 
process.  I  refocused  each  development  team  on  one  of  the  new 
objectives  and  made  sure  they  understood  clearly  what  was 
expected  of  them.  This  eliminated  any  duplication  of  work 
as  well  as  confusion  that  had  been  caused  by  different  teams 
working  on  the  same  system  features  due  to  poorly  defined 
objectives  and  lax  project  management. 

I  facilitated  several  sessions  where  the  company’s  develop¬ 
ers  and  people  from  the  software  vendor  pointed  fingers.  I 
cut  through  the  excuses  and  double  talk  on  both  sides  and  got 
them  to  own  up  to  their  faults.  I  negotiated  an  arrangement  in 
which  the  software  vendor  sent  a  group  of  experts  out  to  the 


company’s  office  to  work  alongside  the  development  teams. 

We  had  regular  project  meetings  and  frank  discussions. 
We  got  issues  out  into  the  open,  resolved  them  and  moved  on. 
I  watched  progress  like  a  hawk,  and  when  an  activity  started 
to  lag  behind  schedule,  I  got  personally  involved.  Deadlines 
were  sacred.  The  teams  worked  long  and  hard. 

Under  my  leadership,  the  developers  delivered  the  system 
on  schedule.  There  were  still  some  problems,  but  the  experts 
from  the  software  vendor  kept  tinkering  with  the  code  and  felt 


The  project  was  not  retrievable,  and  my 
leadership  skills  were  not  to  blame.  It  was 
bound  to  fail  because  the  strategy  driving 
it  was  not  viable. 
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they  could  fix  them.  The  decision  was  made  to  demonstrate 
the  system  at  the  trade  show. 

It  worked  better  than  it  had  before  but  still  failed  to  generate 
much  enthusiasm.  System  response  times  had  been  improved 
by  more  than  50  percent,  but  that  meant  it  still  took  five  to  10 
minutes  for  some  reports  to  run.  And  customers  still  ques¬ 
tioned  the  validity  of  certain  report  results. 

Why  Things  Went  Wrong 

A  few  weeks  later  the  project  was  finally  shut  down.  For 
months  afterward,  I  asked  myself  what  I  had  done  wrong. 
Then  I  realized  I  had  made  the  same  mistake  Bebe  used  to 
make.  Even  though  she  was  full  of  energy,  there  was  no  way 
she  could  retrieve  something  that  was  not  there.  I  had  tried  to 
retrieve  a  project  that  was  not  retrievable.  My  leadership  skills 
were  not  to  blame. 

The  project  was  bound  to  fail  because  the  strategy  driving  it 
was  not  viable;  scrapping  the  legacy  reporting  system  in  favor 
of  some  leading-edge  software  was  a  mistake.  In  my  eagerness 
to  start  leading,  I  had  failed  to  acknowledge  something  we  all 
know:  that  leading-edge  software  requires  a  lot  of  testing  and 
tweaking.  That  makes  it  risky  to  use  for  a  critical  project. 

If  I  had  this  project  to  do  over  again,  I  would  build  only  new 
features  with  the  new  software.  Existing  features  and  reports 
that  already  worked  would  stay  on  the  mainframe.  Version  1.0 
of  the  new  system  would  be  delivered  fast  and  cheap  because 
the  only  development  would  be  to  create  new  features,  not 
re-create  existing  ones.  That  strategy— combined  with  good 
leadership— would  deliver  success.  BIS 


Mike  Hugos  is  the  former  CIO  of  Network  Services 
and  the  author  of  two  books,  Building  the  Real-Time 
Enterprise  and  Essentials  of  Supply  Chain  Manage¬ 
ment.  He  can  be  reached  via  www.michaelhugos.com. 
Send  your  comments  to  leadership@cio.com. 
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Fujitsu  PRIMEQUEST™  Servers  with  Intel®  Itanium®  2  Processors ♦ 

Mainframe  Reliability .  Sized  for  the  Mainstream . 


For  decades,  CIOs  have  trusted 
Fujitsu  mainframes  to  run  their  mission- 
critical  applications.  Now  you  can 
get  the  same  robust  engineering  and 
innovative  design  with  the  highly  reliable, 
high  performance  Fujitsu  PRIMEQUEST 
servers  featuring  Intel®  Itanium®  2  Processors. 
Designed  for  Microsoft®  Windows®  and 
Linux®  environments  to  run  mission  critical 


System  Mirror 

PRIMEQUEST  servers  offer  the  ability  to  run 
memory  and  crossbars  as  mirrored  pairs.  This 
option,  enabled  via  the  Dual  Synchronous 
Architecture  in  PRIMEQUEST  servers,  provides 
fault  immunity  for  the  hosted  operating  system 
and  applications.  The  use  of  System  Mirror 
transparently  guards  against  hardware  errors 
that  could  otherwise  cause  a  system  panic. 


applications,  PRIMEQUEST  servers 
harness  the  power  and  performance 
of  up  to  32  Intel®  Itanium®  2  Processors, 
to  easily  accommodate  your  largest 
applica.tions.They  are  designed  with  integrated 
networking  and  management  features  for 
simplicity  and  offer  flexible  I/O  and  partitioning 
that  enhances  your  agility  to  respond  to 
dynamic  business  requirements. 


To  learn  more  about  how  Fujitsu  PRIMEQUEST  servers  bring  mainframe  reliability  to  mainstream  environments, 


visit  us.  fujitsu.com/computers/PRIMEQUEST  or  call  I  -800-83 1-31 83. 
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EXECUTIVE  COACH 


■I  Susan  Cramm 


The  Folly  of  Finger- Pointing 

If  individuals  don't  accept  personal  responsibility  when  things  go  wrong,  their  organiza¬ 
tions  will  become  dysfunctional  and  stay  dysfunctional 

People  make  mistakes.  Things  fall  apart.  The  only 
surprising  thing  about  the  very  common  phe¬ 
nomena  of  faulty  leadership  and  project  failure 
is  the  disbelief  and  disappointment  that  people 
express  when  things  go  wrong,  and  our  eagerness  to  look  out¬ 
side  ourselves  when  searching  for  something— or  someone— to 
blame. 

Look  at  the  responses  to  CIO  Senior  Writer  Thomas  Wail- 
gum’s  online  request  for  stories  about  IT’s  worst  practices.  (For 
the  litany  of  complaints,  go  to  http://www.cio.com/blog_view. 
html?CID=l502S.)  As  Wailgum’s  respondents  recounted  the 
oh-so-familiar  stories  of  shortsightedness,  finger-pointing, 
incompetence  and  just  plain  meanness,  they  revealed  their 
own  anger  and  hopelessness— emotions  that  come  from  a 
sense  of  powerlessness. 

Consequently,  none  of  the  online  respondents  talked  about 
their  own  mistakes  or  discussed  their  own  acts  of  commission 
or  omission  that  ensured  that  things  would  go  from  bad  to 
worse. 

The  voices  in  these  stories  were  largely  the  victims’.  But  how 
many  were  complicit  in  their  own  victimization? 

Taking  Responsibility 

Early  in  my  career,  I  had  an  abusive  boss.  At  the  time,  for  a 
variety  of  reasons,  I  lacked  the  courage  to  report  the  issue  to 
my  seniors  and  kept  quiet.  As  a  consequence,  others  were 
abused  as  well.  I  made  a  mistake,  and  I  learned  from  it.  Many 
years  later,  when  I  reported  to  an  abusive  CEO,  I  called  him  to 
account.  True,  I  could  have  been  fired,  but  jobs  are  easier  to  find 
than  one’s  dignity  once  lost. 
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Innovations  by  InterSystems 


Rapid  development  with  robust  objects 


Easy  database  administration 


Lightning  speed  with  a  multidimensional  engine 


Massive  scalability  on  minimal  hardware 


Database  Innovations  That  Speed  Up 
Run  Time  And  Development  Time. 


Cache  is  the  first  multidimensional  database  for  transaction  processing  and  real-time 
analytics.  Its  post-relational  technology  combines  robust  objects  and  robust  SQL,  thus 
eliminating  object-relational  mapping.  It  delivers  massive  scalability  on  minimal  hardware, 
requires  little  administration,  and  incorporates  a  rapid  application  development  environment. 

These  innovations  mean  faster  time-to-market,  lower  cost  of  operations,  and  higher  applica¬ 
tion  performance.  We  back  these  claims  with  this  money- back  guarantee:  Buy  Cache  for  new 
application  development ,  and  for  up  to  one  year  you  can  return  the  license  for  a  full  refund  if  you 
are  unhappy  for  any  reason.  *  Cache  is  available  for  Unix,  Linux,  Windows,  Mac  OS  X,  and 
OpenVMS  -  and  it's  deployed  on  more  than  100,000  systems  ranging  from  two  to  over 
50,000  users.  We  are  InterSystems,  a  global  software  company  with  a  track  record  of  innova¬ 
tion  for  more  than  25  years. 


InterSystems  f 

CACHE 


Try  an  innovative  database  for  free:  Download  a  fully  functional,  non-expiring  copy  of  Cache,  or  request  it  on  CD,  at  www.InterSystems.com/Cache7F 


*  Read  about  our  money-back  guarantee  at  the  web  page  shown  above. 
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M  Susan  Cramm  executive  coach 


What  really  matters  is  not  what  happens  to  you  or  around 
you;  what  matters  is  how  you  respond  and  what  you  learn 
from  it.  Unfortunately,  most  people  have  a  difficult  time 
acknowledging  their  own  accountability  for  the  messes  they 
find  themselves  in. 

In  one  organization,  for  example,  a  change  agent  with  a 
hefty  budget  and  a  senior-level  mandate  quickly  created 
enemies  due  to  her  tendency  to  talk  too  much  and  belittle 
the  work  of  others.  While  it’s  true  that  she  behaved  inap¬ 
propriately,  why  did  the  organization  have  to  pull  in  an 
external  coach  to  deliver  the  message  in  the  first  place? 
When  she  recently  said  to  me,  “This  organization  is  so  pas¬ 
sive-aggressive;  people  never  say  what’s  on  their  mind”— 
sure,  she  was  partly  in  denial,  but  she  also  had  a  point.  Her 
behavior  could  not  have  continued  were  it  not  for  the  fact 
that  those  around  her  were  unwilling  to  step  forward  and 
call  her  on  her  behavior. 


Taking  Action 

The  tendency  to  externalize  is  never  more  obvious  than  when 
I  am  playing  back  360-degree  feedback  to  a  client.  My  first 
challenge  is  to  get  through  the  “buts”:  “But  they  wanted  it 
done  cheaper  and  faster.”  “But  they  didn’t  involve  me.”  Once 
those  excuses  are  cleared  away,  my  client  is  able  to  identify 
ways  he  could  have  improved  the  situation. 

Next,  to  test  the  client’s  understanding  of  the  feedback,  I 
ask  him  to  do  three  things;  Write  down  what  he’s  heard  and 
learned,  commit  to  future  actions  and  meet  with  others  to 
review  their  insights.  Most  clients  get  through  the  first  task, 
although  it  usually  requires  two  or  three  iterations  before  it’s 
clear  that  the  words  have  made  it  from  head  to  heart.  But  less 
than  75  percent  of  clients  make  a  meaningful  commitment 
to  change,  and  only  about  25  percent  ever  meet  with  critical 
stakeholders  to  secure  support. 

Most  people,  when  faced  with  setbacks  or  negative  feed¬ 
back,  have  a  tendency  at  first  to  place  blame  externally.  Only 
those  with  humility,  self-confidence  and  discipline  are  able 
to  take  the  steps  necessary  to  internalize  criticism  and  be 
accountable.  Exploring  the  good,  bad  and  ugly  of  one’s  impact 
on  others  is  a  humbling  process.  Translating  insights  and 
commitments  from  thought  to  action  requires  the  courage 
to  forge  more  trusting,  productive  relationships  by  exposing 
your  vulnerabilities  and  negotiating  changes  that  will  benefit 
both  parties. 

Stop  criticizing  and  start  empathizing.  Aspire  to  become 
a  better  leader  by,  in  the  words  of  Jim  Collins,  “looking]  in 
the  mirror,  not  out  the  window,  to  apportion  responsibility 
for  poor  results,  never  blaming  other  people,  external  factors 
or  bad  luck.” 

Leaders  understand  that  when  one  person  changes, 
everybody  changes.  And  that’s  a  source  of  hope  in  a  messy 
world. 


Reader  Q&A 

Q:  People  put  up  with  abusive  bosses  because  they 
fear  for  their  jobs.  The  problem  is,  the  system  produces 
abusive  behavior.  How  can  we  change  the  system? 

A:  Progressive  organizations  factor  360-degree  feed¬ 
back  into  decisions  regarding  promotion  (or  lack 
thereof).  Until  this  practice  is  standard  procedure, 
abusive  bosses  will  continue  to  exist,  and  only  those 
employees  who  are  courageous  and  secure  in  their 
employability  will  cease  being  victims. 


Q:  I  have  been  accused  of  the  opposite  behavior— of 
taking  everything  to  heart.  What  are  your  thoughts? 

A:  Those  who  sidestep  responsibility  are  the  problem 
rather  than  the  solution.  But  those  who  try  to  assume 
all  the  responsibility  and  fix  things  on  their  own  limit 
their  impact.  It’s  only  by  engaging  others  that  lasting 
change  can  be  made.  Business  is  not  a  solitary  pursuit. 


Q:  If  your  employees  aren’t  making  mistakes,  you’re  in 
trouble;  they’re  either  doing  nothing  or  lying.  But  how 
do  you  protect  yourself  and  your  employees  from  a 
manager  who  equates  mistakes  with  incompetence? 

A:  In  R&D  type  efforts,  label  the  work  so  it’s  clear  that 
the  outcome  of  the  effort  is  to  determine  feasibility. 
Build  contingency  and  risk  mitigation  into  your  plans 
so  that  mistakes  aren’t  as  visible  upward.  Finally,  try  to 
keep  your  boss  focused  on  the  ends  by  keeping  him  out 
of  the  details— either  in  the  planning  of  the  approach 
and  timing  or  the  review  of  the  status. 


Q:  How  can  a  manager  build  a  culture  in  which  people 
take  responsibility  not  only  for  their  own  performance 
but  for  their  group’s? 


Have  a  Leadership  Question? 


For  more  reader  QUESTIONS  and  answers 
from  SUSAN  CRAMM,  go  online  to 

www.cio.com/leadership. 

cio.com 


A:  If  you  want 
people  to  take 
more  responsi¬ 
bility,  make  sure 
they  understand 
the  organization’s 

goals,  provide  information  that  illustrates  what  is  and 
is  not  working,  clarify  how  work  gets  done  so  they 
know  where  to  go  and  whom  to  talk  to,  push  deci¬ 
sion-making  downward,  and  reward  risk-taking  and 
sharing.  BE] 


Susan  Cramm  is  founder  and  president  of 
Valuedance,  an  executive  coaching  firm 
in  San  Clemente,  Calif.  E-mail  feedback  to 
susan@valuedance.com. 
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MORE  THAN  65%  OF  SAP  CUSTOMERS  ARE  SMALL  OR  MIDSIZE  COMPANIES.* 

You  don’t  have  to  be  a  big  company  to  face  big  challenges.  Or  to  have  big  expectations.  That’s  why  thousands  of 
small  and  midsize  companies  around  the  world  maximize  their  advantage  with  flexible,  affordable  and  proven 
software  from  SAP.  Find  out  how  SAP,  together  v/ith  our  network  of  qualified  channel  partners,  can  be  a  good  fit 
for  your  business  —  whatever  its  size.  Visit  sap.com/yoursize 
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*Among  Dun  &  Bradstreet,  Inc.  listed  companies  with  employee  number  information.  Small  and  midsize  companies  are  defined  as  those  having  between  1  and  2.500  employees, 
and  include  customers  of  mySAP™  All-in-One  and  SAP*  Business  One  solutions  sold  through  resellers. 
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CIOs  have beencutting costs f o r 
years— and  not  seeing  those  savings 
coming  back  to  IT.  That’s  why  you 
have  to  learn  to  cut  strategically. 

BY  GALEN  GRUMAN 


TWO  YEARS  AGO,  WHEN  RICHARD  TOOLE 
became  CIO  at  pharmacy  service  provider  PharMer- 
ica,  he  faced  two  very  tough  challenges:  Reduce  IT 
costs  and  earn  the  trust  of  the  business.  At  the  time, 
IT  organizations  all  over  the  country  were  facing 
similar  pressures.  The  U.S.  economy  was  still  stum¬ 
bling  after  the  double  blow  of 2001’s  terrorist  attacks 
and  the  tum-of-the-century  financial  scandals.  At 
PharMerica,  the  pressure  was  even  greater.  The  IT 
organization  that  Toole  inherited  had  little  credibil¬ 
ity  within  the  organization,  and  had  even  less  when 
it  came  to  driving  cost  savings  itself. 

“We  used  to  be  called  the ‘helpless  desk’  when 
I  joined,”  recalls  Toole. 

Toole  knew  that  unless  he  changed  his  depart¬ 
ment’s  relationship  with  the  business,  IT  would 
always  be  viewed  as  a  cost  center,  facing  an  endless 
stream  of  declining  budgets  dictated  by  others.  So 
he  was  determined  to  demonstrate  financial  disci¬ 


pline  by  managing  IT  strategically,  correcting  inef¬ 
ficiencies  to  cut  costs  before  he  was  asked  to. 

That  strategy  paid  off,  and  the  trust  Toole  earned 
not  only  allowed  him  to  determine  the  cuts  and  then- 
nature  but  also  permitted  him  newfound  say  in 
where  the  savings  he  reaped  could  be  redirected. 

“I  wanted  to  not  just  cut  costs  but  also  build 
capacity  for  the  future,”  he  recalls. 

First,  Toole  invested  in  building  a  help  desk  system 
so  he  could  bring  the  poorly  performing  outsourced 
desk  back  inside  the  company.  That  addressed  IT’s 
most  visible  failure.  He  diverted  some  resources  to 
creating  an  architectural  team  so  IT  would  no  longer 
be  managed  in  silos, 
reducing  redundancy 
while  increasing  agil¬ 
ity.  And  he  invested  in 
increasing  business, 
leadership  and  devel- 
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::  Separating  the  operations 
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monies 

::  Five  rules  for  infrastructure 
rationalization 
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oper  skills  so  his  staff  could  deliver  better  service  and  applica¬ 
tions  with  an  eye  toward  adopting  modern  approaches  such  as 
service-oriented  architecture  and  Web  services. 

Toole’s  experience  is  hardly  unique.  A  CIO  Executive  Council  sur¬ 
vey  in  April  found  that  12  percent  of  the  51  CIOs  interviewed  faced 
what  they  called  “very  high”  pressure  to  cut  costs,  while  another  28 
percent  had  “significant”  pressure.  “In  a  lot  of  cases,  all  the  business 
expects  of  IT  are  tactical  decisions.  It’s  viewed  as  an  order-taker,  a  big 
cost,  just  data  processing,”  says  Dennis  Gaughan,  research  director 
for  IT  governance  at  AMR  Research. 

CIOs  have  already  done  a  great  deal  of  work  cutting  costs.  But 
all  too  often  the  money  they’ve  saved  has  disappeared  into  the 
maw  of  the  business,  never  to  be  seen  again— at  least  not  by  IT. 
That’s  why  CIOs  can’t  just  cut  costs;  they  have  to  have  a  strate¬ 
gic  plan  to  cut  costs.  And  they  have  to  leverage  that  plan  to  gain 
or  maintain  a  seat  at  the  organization’s  strategic  table.  In  that 
way,  the  cuts  they  make  can  be  transformed  from  a  way  of  slowly 
bleeding  IT  to  death  to  a  way  of  adding  value  to  the  company. 

Cut,  But  Cut  Smart 

“A  lot  of  the  [IT]  cost  savings  in  the  last  three  to  four  years  have 
been  accomplished  by  shrinking  budgets,”  says  Greg  Bell,  a  part¬ 
ner  in  the  information  risk  management  practice  at  audit,  tax  and 
advisory  firm  KPMG.  In  most  cases,  IT  cut  costs  without  deter¬ 
mining  whether  those  efficiencies  increased  costs  elsewhere, 
increased  business  risk  or  short-circuited  a  potential  strategic 
initiative  for  the  business.  For  example,  the  management  team 
of  residential  real  estate  company  Crye  Leike  Group  asked  CIO 
Gurtej  Sodhi  to  consider  outsourcing  the  company’s  call  center. 
Sodhi  declined. 

“My  call  center  is  one  of  the  biggest  advantages  we  have  over 
our  competition.  The  potential  savings  did  not  justify  [out¬ 
sourcing]  it,”  he  says.  Sodhi  saw  the  call  center  as  the  customer’s 
touchstone  to  the  company,  and  he  wanted  to  invest  in  it  by  tak¬ 
ing  better  advantage  of  customer  intelligence  for  cross-selling 
and  targeted  services.  That’s  hard  or  impossible  to  do  with  an 
external,  outsourced  call  center,  he  says. 

“CIOs  may  find  themselves  in  a  hole  by  not  managing  [cost 
cutting],”  says  James  Kaplan,  a  partner  at  the  consultancy 
McKinsey  &  Co.  “Fortunately,  we’re  seeing  in  the  last  18  months 
more  strategic  direction  from  the  CIOs  on  cost  cutting.”  That’s 
because  optimism  about  future  growth  has  turned  the  busi¬ 
nesses’  priority  from  cutting  costs  across  the  board  to  building 
long-term  efficiencies  that  will  permit  IT  to  focus  on  helping  the 
business  grow.  “In  2002-2003,  there  was  a  need  to  reduce  costs 
quickly,”  he  says.  That  period,  according  to  Kaplan,  is  over. 

While  CIOs  will  arrive  at  different  conclusions  about  what 
costs  to  cut  and  how  to  make  those  cuts,  there  are  several  univer¬ 
sally  applicable  strategies  that  Toole  and  other  CIOs  have  found 
successful.  They  include  making  the  IT  costs  of  business  tech¬ 
nology  demands  clear  to  senior  management  so  you’re  not  stuck 
with  supporting  unfunded  mandates  long-term,  separating  IT 
operations  from  innovation  initiatives,  and  making  the  infra¬ 
structure— which  Forrester  Research  says  typically  consumes 


76  percent  of  IT  budgets— both  more  efficient  and  less  complex. 

The  implementation  elements  of  a  successful  long-term  infra¬ 
structure  reduction  strategy  are  deceptively  simple:  standardize 
as  much  as  possible  to  reduce  complexity;  get  rid  of  hardware,  data 
and  applications  you  no  longer  need;  and  understand  the  cost  and 
value  of  delivering  each  IT  service  so  you  can  determine  what  to 
outsource,  automate  or  manage  at  the  appropriate  level  of  staff. 

But  while  these  elements  are  straightforward,  translating 
them  into  action  can  be  hard.  That’s  where  your  department 
heads  and  technology  experts  come  in.  With  a  clear  strategy  in 
place,  they  can  choose  the  right  solutions.  And  IT  can  then  focus 
on  delivering  what  the  business  really  wants  and  needs,  says 
Alex  Cullen,  principal  analyst  for  IT  management  at  Forrester 
Research,  “not  just  be  some  general  corporate  overhead  target.” 

Know  the  Value  Before  You  Cut 

To  cut  costs  strategically,  you  need  to  understand  your  actual 
costs  and  the  value  of  your  various  technologies,  services 
and  business  deliverables.  Otherwise,  the  cuts  you  make  may 
degrade  important  business  processes  and  reduce  their  value.  A 
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good  way  to  clarify  these  issues  is  to  seek  expertise. 

“Add  a  finance  person  to  your  staff  to  help  you  understand 
your  costs  and  cost  drivers,”  suggests  Forrester’s  Cullen.  And 
be  sure  to  make  the  costs  associated  with  specific  business  ini¬ 
tiatives  clear  to  the  business  process  owners  so  that  they  under¬ 
stand  how  much  you’re  spending  to  support  them.  That  can  help 
the  CIO  team  up  with  other  business  managers  to 
reevaluate  the  service  levels  they  demand  or  the  value 
of  the  IT  they’re  using  and  demanding.  Essentially, 
this  approach  treats  IT  as  a  portfolio  of  services  and 
resources.  “This  improves  demand  management,  so 
the  enterprise  picks  the  right  things  to  spend  money 
on,”  says  AMR’s  Gaughan.  “Portfolio  management  is 
a  good  approach  for  long-term  savings,”  he  adds. 

PharMerica’s  Toole  used  this  approach,  following  the 
accumulated  costs  of  each  business  application  through 
the  accounting  ledgers,  to  figure  out  what  his  larg¬ 
est  application  support  costs  were  and  how  they  were 
accounted  for  in  both  business  and  IT  budgets.  (Hard¬ 
ware  leases  and  purchases  were  his  biggest  expense,  fol- 


PharMerica  CIO  Richard  Toole:  By 
insourcing  his  “helpless”  desk,  Toole 
improved  service.  Ultimately,  that 
helped  win  him  a  separate 
IT  innovation  budget. 


lowed  by  software  support  and  maintenance,  then  long-distance, 
local  and  data  communications.)  “We  then  made  some  attempt  to 
calculate  the  value  these  expenses  returned  to  the  business,”  he 
says.  This  exercise  uncovered  significant  waste  in  equipment  leas¬ 
ing  costs  (mostly  for  old,  unused  or  underused  equipment).  Not 
only  was  Toole  able  to  reduce  his  leasing  costs,  he  also  got  some 


Where  the  Cuts  Are 

Faced  with  pressure  to  reduce  costs,  CIOs  are  looking  at  the  entire  infra¬ 
structure.  But  several  areas  are  getting  more  attention  than  others.  In  2007, 
for  instance,  enterprise  software  will  become  a  major  cost-cutting  focus  for 
24  percent  of  respondents.  (Red  numbers  highlight  areas  CIOs  are  paying 
the  most  attention  to.) 


Type  of  Infrastructure  Cost 

Cut  This 
Fiscal  Year 

Cut  Planned 
Next 

Fiscal  Year 

STAFFING 

Senior  IT  headcount 

4% 

6% 

Midlevel  IT  headcount 

14% 

16% 

Junior  IT  headcount 

12% 

6% 

IT  salaries 

8% 

4% 

Freelance  contractors 

31% 

35% 

OUTSOURCING 

Domestic  contracts 

24% 

18% 

Offshore  contracts 

12% 

8% 

TELECOMMUNICATIONS 

Wired 

39% 

20% 

Wireless 

10% 

18% 

Networking 

22% 

14% 

SOFTWARE 

Enterprise 

12% 

24% 

Desktop 

12% 

10% 

Maintenance  contracts 

22% 

22% 

HARDWARE 

Data  centers 

31% 

24% 

Desktop 

16% 

14% 

Mobile  devices 

12% 

12% 

Maintenance  contracts 

22% 

31% 

OPERATIONS 

Overhead  (facilities,  power  and  so  on) 

14% 

14% 

SOURCE:  CIO  Executive  Council  survey  of  51  CIOs,  April  2006 
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rebates  for  unused  equipment.  But  he  also  went  fur¬ 
ther,  citing  the  discovered  inefficiencies  as  reasons  to 
launch  a  more  sweeping  IT  consolidation  effort,  get¬ 
ting  rid  of  unnecessary  servers,  consolidating  data 
and  applications  onto  fewer  servers  where  possible, 
and  reducing  special-purpose  servers,  applications 
and  operating  systems.  That  resulted  in  both  equip¬ 
ment  savings  and  lower  labor  costs,  as  less  manage¬ 
ment  overhead  was  needed. 

Toole’s  cost  and  value  analysis  also  led  him  to 
stop  outsourcing  his  “helpless  desk.”  He  applied 
the  labor  savings  from  the  infrastructure  con¬ 
solidation  to  manage  the  help  desk  internally. 

Although  his  dollar  cost  didn’t  go  down,  the 
quality  of  service  went  up  dramatically.  And  that 
showed  his  company  he  could  both  drive  fiscal 
restraint  and  improve  service.  Over  time,  that 
approach  won  Toole  a  separate  IT  innovation 
budget— a  recognition  that  IT  was  not  merely  a 
service  organization.  And  that  in  turn  let  Toole 
focus  on  building  the  right  IT  infrastructure  (as 
well  as  applications  and  integrations)  instead  of 
just  squeezing  the  one  he  inherited. 

Other  CIOs  have  benefited  from  similar  cost 
and  value  analyses.  For  example,  Crye  Leike  CIO 
Sodhi  analyzes  every  IT  infrastructure  project 
through  three  lenses:  project  cost,  the  impact  on 
productivity  and  competitiveness.  Like  Toole,  he 
found  many  inefficiencies  in  the  organization  he 
inherited,  including  28  percent  in  excessive  costs 
for  telecom  circuits  and  PBXs,  25  percent  wastage 
in  server  utilization,  30  percent  wastage  in  storage 
and  inefficient  distribution  of  IT  staff  to  regional 
offices.  “My  CEO  still  says  that  I’m  the  biggest 
spend  in  the  company,  but  he  knows  it  could  be 
a  lot  worse  if  we  weren’t  as  efficient  as  possible,” 

Sodhi  says. 

To  ensure  that  his  company’s  cost  and  value 
analyses  are  on  target,  John  Von  Stein  has  created 
an  IT  service  catalog  to  benchmark  unit  costs 
against  peers  and  research  firms’  recommenda¬ 
tions.  The  CIO  at  the  financial  transaction  proces¬ 
sor  The  Options  Clearing  Corp.  works  closely  with 
the  finance  department  on  this  effort.  The  result: 

“We  have  a  good  handle  on  the  costs,”  Von  Stein  — . . 

says.  “And  our  business  partners  understand  that 

if  you  put  several  straws  in  the  milk  shake,  it’s  coming  out  of  the 

same  pool.” 


The  Options  Ctearing  Corp.  CIO  John  Von  Stein  says  CIOs  should  not  expect 
to  retain  all  the  money  they  save  their  organizations,  but  routinely  gaining 
efficiencies  “builds  credibility  with  the  CFO,  COO  and  the  board.” 


Separate  Operations 
from  Innovation 


With  the  costs  and  values  understood,  CIOs  can  separate  their 
operations  from  their  new  initiatives.  This  not  only  lets  the  busi¬ 


ness  understand  the  balance  between  the  services  it  has  come  to 
count  on  and  the  services  it  may  want  to  add,  but  also  the  long¬ 
term  implications  of  making  new  demands  on  the  infrastructure. 
“Remember  that  every  project  you  did  the  year  before  goes  into 
maintenance,”  says  Forrester’s  Cullen.  Truly  appreciating  that 
cold  calculation  helps  the  business  team  comprehend  the  long¬ 
term  implications  of  technology  initiatives,  and  also  helps  ensure 
that  the  CIO  is  always  on  the  lookout  for  efficiencies  to  make 
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Remember  when  technology 
had  the  ability  to  amaze  you? 


Believe  again. 

Now  you  can  believe  in  a  new  kind  of  IT  management.  Unified  and  simplified  to  make  your 
business  more  productive,  nimble,  competitive  and  secure. 

We  all  know  that  companies  are  demanding  more  from  IT  —  expecting  IT  to  be  a  strategic 
and  competitive  advantage.  Yet  today's  complex  IT  environments  require  you  to  manage 
across  point  solutions,  siloed  organizations  and  redundant  technology. 

A  better  alternative?  Choose  an  integrated  approach  to  IT  management.  An  approach  in 
which  software  unifies  your  people,  processes  and  technology  to  increase  efficiency  and 
optimization.  Only  one  global  software  company  can  do  that.  CA,  formerly  known  as 
Computer  Associates,  has  focused  solely  on  IT  management  software  for  over  30  years. 

Our  technology  vision  that  makes  this  promise  real  is  called  Enterprise  IT  Management, 
or  EITM.  At  its  heart  is  the  CA  Integration  Platform  —  a  common  foundation  of  shared 
services  that  gives  you  real-time,  dynamic  control  and  flexibility.  Its  greatest  benefit? 
CA  software  solutions  come  to  you  already  integrated,  and  able  to  integrate  with  your 
existing  technology  to  optimize  your  entire  IT  environment. 

Ultimately,  a  well-managed  IT  environment  gives  you  the  visibility  and  control  you  need 
to  manage  risk,  manage  costs,  improve  service  and  align  IT  investments.  To  learn  more 
about  how  CA  and  our  wide  array  of  partners  can  help  you  unify  and  simplify  your  IT 
management,  visit  ca.com/unify. 
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room  for  those  new  operational  requirements,  he 
says.  The  average  company  spends  about  76  per¬ 
cent  of  its  IT  budget  on  maintenance,  operations 
and  support,  Cullen  notes,  while  efficient  compa¬ 
nies  fall  between  50  percent  and  60  percent.  (See 
“Flex  Time,”  ‘wwio.cio.com/020105,  for  more  on 
the  budget  strategies  that  can  make  such  separa¬ 
tion  successful.) 

But  the  separation  should  not  be  just  about  bud¬ 
get  lines.  The  separation  also  helps  CIOs  identify 
which  staff  and  technologies  are  core  to  the  busi¬ 
ness  and  which  ones  aren’t.  By  definition,  innova¬ 
tion  is  core  to  the  business,  but  that  doesn’t  mean 
everything  else  is  not.  Within  the  operations  part 
of  IT,  the  CIO  needs  to  understand  which  aspects 
require  special  skills  or  focus,  and  which  are  rou¬ 
tine.  This  analysis  helps  determine  both  where  to 
target  efficiencies  and  where  to  invest. 

For  example,  manufacturer  ThyssenKrupp 
Elevator  discovered  that  it  could  safely  outsource 
mainframe  and  AS/400  operations  to  reduce 
costs,  but  it  could  not  outsource  network  manage¬ 
ment.  That’s  because  the  mainframe  and  AS/400 
systems  management  is  “fully  stable,  fairly  repeti¬ 
tive  and  low-volatility,”  says  CIO  Jim  Miller.  But 
it  made  more  sense  to  invest  in  internal  network 
management  skills  since  ThyssenKrupp’s  180  or 
so  locations  required  intimate  knowledge  of  the 
network  connections  and  relationships  among  the 
locations,  a  level  of  ongoing  focus  that  Miller  con¬ 
cluded  an  outside  vendor  could  not  deliver. 

Similarly,  document-processing  equipment 
manufacturer  Bowe  Bell  &  Howell  concluded  it 
could  outsource  desktop  support  but  needed  to 
reallocate  some  of  the  IT  staff  budget  to  work  on  its 
SAP  ERP  deployment.  “We  were  heavily  invested 
in  resources  for  the  infrastructure,  which  were  not  lined  up  to 
our  strategic  areas,”  recalls  CIO  Ron  Ridge.  Properly  providing 
desktop  support  for  the  company’s  2,000  employees,  1,400  of 
whom  are  in  the  field,  would  have  required  a  significant  invest¬ 
ment  in  help  desk  management  systems,  he  says,  yet  what  the 
company  really  needed  was  to  build  on  its  ERP  deployment  to 
help  the  business  team  improve  productivity  and  increase  reve¬ 
nue.  Understanding  the  operational/innovation  separation  made 
the  need  to  change  the  IT  strategy  clear. 

By  understanding  which  functions  are  strategic,  ADP  Employer 
Services  CIO  Bob  Bongiorno  has  been  able  to  increase  the  budget 
for  IT  staff  working  on  new  development  efforts  by  17  percent  from 
2005  to  2006,  permitting  growth  from  575  to  about  690  people, 
while  keeping  his  overall  budget  nearly  flat,  rising  just  $1  million 
this  year  to  $116  million.  The  extra  money  for  new  development 
efforts  came  from  a  variety  of  sources,  including  streamlining 
data  center  operations  and  reducing  maintenance  costs. 

While  such  separation  is  useful  for  strategic  management, 


there  needs  to  be  communication  among  these  two  IT  groups 
and  the  business  to  ensure  that  each  does  not  go  its  own  way 
and  end  up  creating  an  environment  where  operations  prevents 
innovation  or  where  innovation  strains  the  infrastructure.  At  the 
diversified  manufacturer  United  Technologies,  CIO  John  Dou¬ 
cette  uses  a  CIO  council  to  coordinate  savings  strategies  among 
the  company’s  divisions. 

r* 

Rules  for  Rationalizing 
the  Infrastructure 

While  there  are  many  ways  to  achieve  efficiencies  in  IT  infra¬ 
structures,  they  tend  to  be  variations  on  one  basic  approach: 
reducing  complexity.  “The  key  levers  are  simplifying,  standard¬ 
izing,  consolidating  and  centralizing,”  says  John  Balboni,  CIO  of 
International  Paper,  who  has  cut  IT  costs  by  25  percent  over  three 


Chargeback: 

The  Pros  and  Cons 

Should  you  charge  business  units  for  operations? 

ONE  WAY  TO  KEEP  BUSINESS  UNITS  from  forcing  your  operational  costs 
to  rise  is  to  charge  them  for  their  share  of  those  operations.  This  can  rein 
in  ever-increasing  requests  for  technology  deployments.  For  example,  at 
United  Technologies,  “Everything  is  in  the  customer’s  budget,”  says  CIO 
John  Doucette.  Well,  almost  everything:  of  Doucette’s  approximately  $200 
million  IT  budget,  $5  million  is  considered  general  corporate  overhead. 
“The  businesses  have  to  believe  there’s  value  in  what  they're  getting.  The 
only  way  to  get  that  is  for  them  to  pay  for  it,"  he  says. 

Other  CIOs  think  linking  operations  costs  directly  to  specific  deploy¬ 
ments  or  business  units  is  a  bad  idea.  "I’m  not  a  fan  of  chargebacks,”  says 
Jim  Miller,  CIO  at  ThyssenKrupp  Elevator.  While  business  managers  can 
understand  why  they  might  be  charged  for  a  data  line,  charging  business 
units  a  share  of  basic  IT  infrastructure  “gets  us  into  more  arguments  than 
its  worth,"  he  says. 

If  you  do  try  to  charge  business  units  for  their  share  of  operational 
costs,  be  prepared  to  do  some  tough  work,  says  Dennis  Gaughan,  research 
director  for  IT  governance  at  AMR  Research.  Not  only  do  you  have  to  deter¬ 
mine  the  costs  per  activity,  you  need  to  calculate  its  value  to  the  business. 
“That’s  not  trivial,”  he  says.  "You  have  to  earn  a  level  of  respect  with  the 
business  before  you  can  even  begin  to  do  this  level  of  analysis." 

Even  if  you  don’t  charge  back  for  operations,  it  does  help  to  have  an  idea 
of  those  rough  costs,  notes  Alex  Cullen,  principal  analyst  for  IT  manage¬ 
ment  at  Forrester  Research.  "Add  a  finance  person  to  your  staff  to  help  you 
understand  your  costs  and  cost  drivers,”  he  advises.  That  strategy  works 
well  for  Learning  Company’s  CIO  John  Von  Stein.  "We  don't  need  to  do  allo¬ 
cation  [to  business  units]  because  we  have  a  good  handle  on  the  costs,”  he 
says,  thanks  to  a  partnership  with  the  finance  department.  -G.G. 
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Understand 
Your  Exposure 

New  Mission  Critical  Systems 
for  Email  and  Instant  Messaging 


Ask  a  group  of  IT  business  decision-makers 
to  name  the  most  disruptive  technology  of 
the  past  20  years,  and  electronic  messag¬ 
ing,  especially  e-mail,  is  certain  to  appear 
in  the  top  three.  As  business  has  become  more  e-centric, 
e-mail  has  become  as  critical  to  an  enterprise’s  success 
as  its  ERP  applications. 

In  today’s  business  world,  where  compliance 
and  security  are  key  drivers  for  IT  investments, 
the  need  to  manage  e-mail  and  Instant  messag¬ 
ing  to  minimize  security  and  legal  exposure  has 
joined  availability  and  storage  as  critical  con¬ 
cerns  for  managing  messaging. 

Forget  papertrails  and  whistleblowers.  Today, 
an  attorney  prosecuting  a  major  business  will  go 
looking  for  the  new  smoking  gun  of  cyberspace: 
electronic  records  generated  bye-mail  and 
instant  messaging  (IM).  Few  CIOs  missed  the  fact 
that,  in  recent  years,  the  New  York  State  Attorney 
General  Eliot  Spitzer  repeatedly  used  e-mail 
records  to  prosecute  cases  against  major  busi¬ 
nesses  and  their  executives.  But  even  if  it  doesn’t 
come  to  that,  companies  need  to  be  able  to  access  such 
records  quickly — if  only  to  avoid  raising  suspicion. 

Says  the  former  CIO  of  a  major  financial  services  firm, 
if  a  business  can’t  retrieve  specific  e-mail  records  in  a 
timely  manner  when  regulators  or  prosecutors  bang  on 
the  door,  businesses  run  the  risk  of  looking  as  if  they  are 
hiding  information. 

But  while  researching  “The  Sarbanes-Oxley  Guide  for 
Financial  and  Information  Technology  Professionals” 
author  SanjayAnand  heard  from  dozens  of  senior  IT  exec¬ 
utives  who  lamented  that  they  lacked  a  solution  that 
bridges  the  compliance  gap  between  corporate  e-mail 
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and  such  regulations  as  Sarbanes-Oxley,  HIPAA  (Health 
Insurance  Portability  and  Accountability  Act) ,  and 
Gramm-Leach-Bliley. 

But  if  IT  executives  have  been  slowto  adopt  relevant  e- 
mail  solutions,  when  it  comes  to  managing  IM  an  even 
starker  reality  prevails.  The  IM  usage  within  enterprises  is 


increasing  rapidly,  but  the  majority  of  users  are  still  on 
public  IM  networks,  which  do  not  provide  secure  and 
manageable  real-time  communications. 

Considering  that  IM  incurs  much  of  the  same  legal 
risk  as  e-mail — not  to  mention  a  host  of  unique  secu¬ 
rity  threats — that  statistic  ought  to  sound  a  warning 
among  CIOs. 

What’s  more,  IM  is  proving  to  be  one  of  the  fastest  grow¬ 
ing  communication  media  in  the  2 1  st  Century.  According 
to  a  study  by  The  Radicati  Group  enterprise  IM  will  nearly 
triple  between  2005  and  2009  to  about  126  million  seats. 
It  may  be  difficult  to  imagine  a  communication  tool  more 
pervasive  than  e-mail,  but  experts  predict  that  by  the  end  of 
this  year  IM  traffic — chatting  online — will  surpass  e-mail 
traffic.  Global  services  such  as  AOL  Instant  Messenger, 

MSN  Messenger,  and  Yahoo!  Messenger  each  report  more 
than  1  billion  messages  sent  per  day,  and  newcomers 
GoogleTalk  and  Skype  are  likely  to  perpetuate  the  trend. 
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Offering  the  benefits  of  real-time  communication 
and  presence  awareness,  IM  has  already  infiltrated  the 
vast  majority  of  companies:  The  Palo  Alto-based 
Radicati  Group,  estimates  that  85  percent  of  all  North 
American  enterprises  report  IM  use.  And  IDC  predicts 
that  IM  business  use  will  continue  to  rise,  even  at  the 
expense  of  e-mail  use. 

Bottom  line?  Companies  need  a  cost-effective  way  to 
manage  both  e-mail  and  IM.  Savvy  CIOs  are  moving 
aggressively  to  ensure  that  these  critical  business  applica¬ 
tions  are  reliable,  secure,  available,  and  compliant. 

According  to  Anand,  “without  the  right  security,  stor¬ 
age,  and  retrieval  systems  working  behind  the  scenes, 
your  e-mail  system  is  a  risk  to  your  business.” 

E-mail  and  IM  as  evidence 

Whenever  information  passes  through  e-mail  or  IM,  an 
electronic  record  is  created.  This  digital  version  of  a 
paper  trail  can  serve  as  valuable  evidence  in  a  court  of 
law,  delivering  proof  that  companies  follow — or  circum¬ 
vent — regulations  or  internal  company  policies.  And 
these  records  are  subject  to  greater  governance  and  con¬ 
trol — from  industry-specific  regulatory  requirements  to 
the  need  for  best  practices  on  content  control  and  man¬ 
agement  based  on  broad,  sweeping  legislation  such  as 
HIPPA  and  Sarbanes-Oxley. 

Meanwhile,  corporate  electronic  records  are  reaching 
record  levels.  According  to  a  2005  study  by  IT  analyst  firm 
Enterprise  Strategy  Group,  the  need  to  retain  email  is  now 
the  primary  driver  of  electronic  records  management  ini¬ 
tiatives.  In  addition,  email  has  also  become  the  most  fre¬ 
quently-requested  type  of  business  record  by  courts  and 
regulators.  Moreover,  as  e-mail  systems  come  under 
more  stringent  IT-enforced  storage  limits  and  filters,  IM 
is  an  increasingly  popular  alternate  channel  for 
exchanging  information.  It’s  also  growing  as  a  medium 
for  exchanging  files. 

Forward-looking  IT  executives  are  taking  steps  to 
develop  policies  on  messaging  archiving  and  manage¬ 
ment.  Lately,  litigation  often  involves  discovery  of  e- 
mail  communication  as  evidence.  If  a  company  is 
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requested  to  discover  and  produce  relevant  e-mail 
messages  and  is  not  able  to  do  so  in  a  timely  manner, 
it  can  be  costly,  with  large  financial  penalties  and 
often  larger  indirect  costs  that  include  potential  dam¬ 
age  to  the  organization’s  reputation,  brand,  and  stake¬ 
holder  trust. 


At  your  fingertips 

In  order  to  reduce  these  risks  to  the  enterprise,  effec¬ 
tive  archiving  and  discovery  mechanisms  are  essen¬ 
tial.  To  that  effect,  roughly  half  of  large  companies 
have  an  e-mail  archiving  solution  in  place,  up  from  25 
percent  of  companies  last  year,  according  to  multiple 
research  firms.  Companies  still  have  a  long  way  to  go 
when  it  comes  to  archiving  and  retrieving  IM  mes¬ 
sages,  however. 

Organizations  lagging  behind  should  keep  in  mind 
that  they  typically  have  very  short  timelines — a  few  days 
or  less — to  produce  specific  electronic  records  for  regu¬ 


IM  Policy  Template 

Consider  these  FDIC  recommended  steps  when 
designing  an  IM  use  policy: 

1  Establish  a  policy  to  restrict  public  IM  usage  and 
require  employees  to  sign  an  acknowledgement  of 
receipt  of  the  policy. 

2  Consider  implementing  an  intrusion  detection  sys¬ 
tem  to  identify  IM  traffic.  Assess  the  need  for  other 
IM  security  products. 

3  Create  rules  to  block  IM  delivery  and  file  sharing. 

4  Consider  blocking  specific  IM  vendors. 

5  Ensure  a  strong  virus  protection  program. 

6  Ensure  a  strong  patch  (software  update)  manage¬ 
ment  program. 

7  Include  the  vulnerabilities  of  public  IM  in  informa¬ 
tion  security  awareness  training,  source:  fdic 

(http://www.fdic.gov/news/news/financial/2004/fil8404a.html) 


lators  or  prosecutors,  according  to  Anand,  author  of 
“The  Sarbanes-Oxley  Guide  for  Financial  and 
Information  Technology  Professionals.”  But  the  ability 
to  produce  that  information  quickly  is  vital.  “In  some 
cases,  a  single  e-mail  can  prove  a  company’s  inno¬ 
cence — or  guilt,”  notes  Ed  Golod,  president  of  Revenue 
Accelerators  Inc.,  a  consulting  firm  in  New  York  that 
serves  senior  technology  executives.  And  when  a  judge 
in  2004  told  a  jury  to  assume  bad  faith  on  the  part  of 
Morgan  Stanley  for  mishandling  an  e-mail  discovery 
request,  the  stakes  for  IT  managers  handling  e-mail 
access  and  retention  increased  exponentially. 

Another  Vulnerability  Window  Opened 
In  addition  to  the  legal  risks  of  IM  and  e-mail  environ¬ 
ments,  enterprises  also  incur  other  threats  to  corporate 
security.  For  example,  unmanaged  e-mail  and  IM  can 
be  a  source  of  lost  intellectual  property  and  sensitive 
material.  The  IMlogic  Threat  Center,  the  industry’s  first 
global  consortium  to  provide  threat  detection  and  pro¬ 
tection  for  IM  and  peer-to-peer  applications,  reports 
that  more  than  30  percent  of  employees  use  IM  for  file 
transfers  with  external  parties.  Worse,  the  majority  of 
IM  messages  are  sent  over  public  networks — under  the 
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radar  of  the  enterprise  IT  organization.  As  a  result,  few 
companies  have  a  clear  picture  of  how  IM  is  being  used 
in  their  company. 

Even  more  immediate  and  urgent  is  the  threat  of 
attacks  from  malicious  parties  in  the  form  of  worms 
and  viruses.  These  plague  both  e-mail  and  IM  chan¬ 
nels,  but  IM  is  especially  vulnerable  to  such  attacks, 
since  IM  threats  have  become  more  sophisticated  with 
the  use  of  social  engineering  techniques  such  as  buddy 
lists  (lists  of  those  permitted  to  instant-message  a  par¬ 
ticular  user)  which  tend  to  engender  trust  among  users. 
IM  threats  grew  by  a  staggering  1 ,693  percent  in  2005, 
according  to  the  IMlogic  Threat  Center.  CIOs  should 
also  be  forewarned  that  the  manufacturers  of  such 
attacks  are  increasingly  sophisticated,  capable  of 
building  worms  and  viruses  that  target  multiple  chan¬ 
nels:  the  Web,  IM,  and  e-mail. 

But  that’s  not  all.  Additional  security  risks  to  unmanaged 
electronic  messaging  include  inappropriate  use  that  vio¬ 
lates  internal  policies,  including  those  established  by  the  HR 
department.  Creating  IM  and  e-mail  policies  and  a  corre¬ 
sponding  enforcement  mechanism  is  critical  to  ensuring 
that  offensive  or  disruptive  messages  are  not  exchanged. 
Identity  theft  is  another  heightened  risk  in  environments 
where  electronic  messaging,  especially  IM,  lacks  regulation. 
When  an  organization  has  not  implemented  the  appropri¬ 
ate  controls  to  its  enterprise  domain  for  the  IM  networks, 
perpetrators  can  easily  pose  as  co-workers  and  colleagues. 
According  to  Symantec,  IM  is  especially  vulnerable  to  these 
types  of  attacks  since  it  is  relatively  simple  to  impersonate  or 
“spoof”  an  IM  identity.  Companies  traditionally  don’t  own 
their  own  domain  name  on  the  consumer  IM  networks  such 
as  AOL  or  MSN,  and  don’t  generally  require  authentication 
or  registration  of  IM  accounts. 

The  Solution 

The  risks  of  e-mail  and  IM  management  are  a  lot  for  any 
CIO  to  keep  track  of,  and  customers  are  increasingly 
seeking  a  single-vendor  solution  that  proactively  helps 
organizations  simplify  messaging  management,  enable 
instant  search  and  discovery  of  email  legal  require¬ 
ments,  reduce  storage  costs,  and  limit  the  exposure  to 
new  security  loop-holes  that  IM  presents. 

As  technology  continues  to  diversify  and  new  real-time 
tools  like  new  IM  systems  that  support  voice  and  file 

Facts  on 

»More  than  75  percent  of  corporate  intellectual 
property  is  stored  in  e-mail 

»  Roughly  half  of  large  companies  have  an  e-mail  archiv¬ 
ing  solution  in  place,  up  from  25  percent  last  year 

»IM  threats  grew  by  1693  percent  in  2005. 

»45  percent  of  employees  use  IM  at  work  because 
they  believe  their  communication  is  unmonitored. 


Facts  on  IM: 

»85  percent  of  all  enterprises  in  North  America  are 
reporting  IM  use 

»IM  traffic  is  expected  to  exceed  e-mail  traffic  in  2006 
»IM  threats  grew  by  1693  percent  in  2005 
»45  percent  of  employees  use  IM  at  work  because 
they  believe  their  communication  is  unmonitored 


transfers  become  more  widespread,  a  uniform  approach 
will  only  be  more  effective. 

With  these  CIO  priorities  in  mind,  Symantec  Corp.  rec¬ 
ommends  an  integrated,  holistic  approach  that  includes 
several  products. 

Savvy  organizations  must  also  master  e-mail  archiving 
and  journaling  and  ease  urgent  data  retrieval  projects. 
One  of  the  country’s  largest  securities  firms  has  used 
Veritas  Enterprise  Vault  and  Discovery  Accelerator  since 
2003  to  securely  archive  its  5,000  Microsoft  Exchange 
mailboxes.  The  firm  is  now  using  Compliance  Accelerator 
6.0 — software  that  allows  users  to  readily  access  messages 
and  deploy  multiple  servers  and  that  includes  a  new  ad- 
hoc  investigative  tool — to  sample  1,700  of  its  broker  mail¬ 
boxes  on  a  daily  basis  in  order  to  comply  with  NASD  and 
SEC  regulations.  The  company  must  adhere  to  SEC  Rule 
17a-4  and  NASD  3010  and  3011,  which  require  brokerages 
to  retain  e-mail  messages  in  a  secure  but  highly  available 
archive  and  demonstrate  effective  supervision  of  elec¬ 
tronic  message  traffic. 

Veritas  Enterprise  Vault  also  increases  e-mail  availabil¬ 
ity,  because  it  reduces  the  amount  of  data  stored  in  pri¬ 
mary  messaging  servers  and  file  servers  by  up  to  50 
percent,  according  to  Veritas.  “It  essentially  protects  you 
from  reaching  capacity  thresholds,”  says  Golod. 

According  to  the  “Gartner  Magic  Quadrant  for  E-mail 
Active  Archiving,  2006”  by  Carolyn  DiCenzo  and  Kenneth 
Chin  (May,  2006) ,  the  growing  size  of  e-mail  data  stores, 
coupled  with  the  requirement  to  retain  e-mail  records  for 
regulatory  compliance  and  legal  discovery,  has  created  a 
market  for  e-mail  archiving  tools. 

Four  steps  to  meeting  your  IM  security  needs 
Unlike  with  e-mail,  which  has  been  firmly  established  as 
a  business  tool  for  years,  many  companies  have  a  blank 
slate  when  it  comes  to  managing  and  controlling  the  risk 
of  instant  messaging.  Viral  adoption  of  clients  such  as 
AOL  Instant  Messenger,  MSN  Messenger,  and  Yahoo! 
Messenger  has  occurred  outside  the  watch  of  IT,  creating 
a  free-for-all,  unmanaged,  unmonitored  IM  environment. 

Symantec — through  IMlogic — recommends  a  four¬ 
pronged  approach  that  will  allow  companies  to  deal 
with  the  corporate  IM  landscape  as  it  exists  today  while 
planning  for  the  deployment  of  emerging  presence- 
based  technologies. 
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Companies  should  first  try  to  answer  the  following 
questions:  Who  is  using  IM?  What  for?  And  what  public  or 
enterprise  systems  are  being  used?  Organizations  can 
conduct  a  usage  audit  with  .a  trial  license  of  Symantec™ 
IM  Manager  for  IM  detection  and  analysis.  Companies 
can  choose  to  set  up  Symantec  IM  Manager  without  dis¬ 
rupting  users,  in  order  to  assess  usage  and  behavior,  gen¬ 
erate  usage  reports,  and  build  a  personalized  risk  profile. 

Once  key  risk  areas  are  identi¬ 
fied — such  as  unique  viruses  and 
worms — companies  should  address 
those  risks  quickly.  Because  of  its 
nature  as  a  real-time,  presence- 
awareness  medium,  IM  is  especially 
vulnerable  to  the  viruses  and  worms 
that  can  attack  e-mail  and  the  Web. 

Technology  like  IM  Manager  provides 
organizations  with  the  necessary  security  capabilities 
needed  to  ensure  that  IM  is  not  exposing  the  business  to 
unnecessary  risk.  For  example,  IM  Manager  can  be  con¬ 
figured  to  provide  mapping  of  consumer  IM  screen 
names  to  LDAP  identities.  IM  Manager  can  be  set  up  to 
disable  actions  such  as  file  transfers  through  IM  or  scan 
the  transfers  using  antivirus  engines  from  Symantec. 
IMlogic  also  enables  enterprises  to  re-route  internal  IM 
messages  through  the  company’s  network  and  to  control 
what  IM  systems  employees  can  use  in  order  to  block  out 
clients  with  known  security  vulnerabilities. 

For  an  additional  layer  of  security,  IM  Manager  pro¬ 
vides  the  Real-Time  Threat  Protection  System  (RTTPS), 
which  offers  the  benefits  of  the  industry's  first  and  only 
community-based,  predictive  IM  threat  protection 
capabilities,  combined  with  automatic  security  updates 
from  the  Symantec  Security  Response.  RTTPS  passively 
monitors  IM  traffic,  detecting  and  blocking  new,  emerg¬ 
ing  IM  viruses  and  worms  before  they  propagate  over 
the  corporate  network — offering  real-time  protection 
without  disruption. 

Once  immediate  threats  are  stabilized,  the  third  step  in 
IMlogic’s  four-pronged  approach  is  to  develop  an  effec¬ 
tive  IM  usage  policy.  Based  on  the  experience  from 
experts  across  a  variety  of  disciplines  and  in  many  of  the 
most  complex  customer  environments,  there  are  several 
points  of  best  practice  when  developing  and  implement¬ 
ing  policies  for  corporate  IM  use.  They  include  treating  IM 
the  same  as  e-mail  when  possible,  detailing  provisions  for 
items  such  as  acceptable  use  and  confidentiality,  and 
consulting  with  legal,  HR,  and  IT  members. 

Companies  may  want  to  notify  users  that  IM  messages, 
like  e-mail,  are  discoverable  by  opposing  parties  during 
litigation.  In  many  cases,  even  though  senders  and  recipi¬ 
ents  have  deleted  their  copies  of  an  electronic  record, 
back-up  copies  maybe  retrievable  after  deletion.  IM  mes¬ 
sages  are  often  not  monitored  or  managed  by  IT.  The  best 


practice  starts  from  understanding  and  controlling  how 
IM  is  being  used  within  the  corporation. 

IM  Manager  provides  a  number  of  methods  by  which 
IT  administrators  can  establish  IM  policy  enforcement 
and  conduct  ongoing  audits  for  corporate  policies  and 
compliance.  These  product  features  include  message  dis¬ 
claimers,  identification,  real-time  message  filtering,  100 
percent  message  capture,  and  comprehensive  message 
export  and  purging  capabilities  for 
integrating  IM  messages  into  central¬ 
ized  archiving  and  discovery  systems. 

Finally,  for  organizations  that  have 
assessed  their  IM  usage,  neutralized 
immediate  threats,  and  developed 
and  propagated  an  IM  policy,  the  mes¬ 
saging  management  strategy  does  not 
stop  there.  For  most  companies, 
instant  messaging  is  the  first  foray  into  the  realm  of  pres¬ 
ence-enabled,  real-time  communication  and  collabora¬ 
tion  services  delivered  over  an  IP  network.  But  there  will 
be  more  communication  that  will  bring  similar  chal¬ 
lenges  to  corporations,  such  as  voice  over  IP,  and  files 
shared  over  collaboration  servers.  Convergence — or  the 
delivery  of  all  real-time  collaboration  services  under  a  sin¬ 
gle  management  policy — will  be  the  single  biggest  task 
facing  IT  organizations  over  the  coming  decade. 
Organizations  should  look  for  a  consistent  set  of  manage¬ 
ment  and  security  policies  as  they  move  in  this  direction. 

Summary 

As  organizations  work  to  keep  up  with  the  rapid  rate  of 
change  in  employee  communications,  it  is  imperative 
that  they  ensure  that  both  e-mail  and  IM  environments 
are  secure,  accessible,  and  compliant.  And  as  these  tech¬ 
nologies  continue  to  broaden,  an  integrated  approach 
will  be  more  cost-effective  than  ever. 

An  effective  e-mail  solution  and  IM  compliance  solu¬ 
tion  requires  clearly  defined  corporate  policies  that 
describe  how  e-mail  or  IM  are  to  be  used  and  stored  over 
the  long  haul.  It  also  requires  a  long-term  strategy  for  how 
best  to  leverage  IM  and  e-mail  as  business  tools  that  help 
drive  sales,  reduce  costs,  and  improve  margins  without 
increasing  risks  to  the  business. 

Anand  has  this  advice  when  managing  threats  gets  too 
complicated:  “Just  remind  yourself  to  keep  things  simple,” 
he  says.  “You  ultimately  need  a  strategy  that  ensures 
proper  security,  storage,  and  retrieval  of  your  digital  infor¬ 
mation.  Keep  those  three  steps  in  mind,  and  you’re  on  the 
way  to  success.”  # 


For  more  information,  visit 

Symantec-  www.symantec.com 

7  or  call  1-800-745-6054. 


Steps  to  IM  success: 

1  Assess  usage 

2  Neutralize  immediate  threats 

3  Develop  a  policy  for  IM  usage 

4  Develop  a  long-term  strategy 
for  real-time  communication 
technology 
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How  do  you  maximize 
the  value  of  IT? 


IT  is  still  one  of  the  most  misunderstood  functions  in  business. 

The  CIO  Executive  Council,  a  professional  community  developed  by  CIOs,  has  focused  its  members' 
collective  effort  on  this  challenge.  Their  initiative  has  resulted  in  groundbreaking  tools-the  IT  Value 
Matrix  and  Knowledge  Center™-to  help  leverage  the  value  of  IT  throughout  the  organization. 

The  IT  Value  Matrix  illustrates  the  principles  and  practices  essential  to  creating,  identifying  and 
communicating  IT's  value  to  the  enterprise.  Its  online  Knowledge  Center  provides  best  practices 
contributed  by  Council  members,  supplemented  by  case  studies  and  how-to  articles  from 
CIO  magazine  that  are  grouped  in  categories  that  correspond  to  all  the  components  of  the  Matrix. 


Visit  www.cioexecutivecouncil.com/it_value  to  get  your  own  copy  of  the  Matrix  and  to  watch 
the  IT  Value  webcast,  presented  by  Agriliance  CIO  and  Council  member  Steven  John. 


CIO  Executive  Council 

The  Professional  Organization  for  CIOs 


The  CIO  Executive  Council  was  created  by  readers  of  CIO  magazine  and  leaders  within 
the  community  of  CIOs  to  leverage  the  individual  and  collective  strengths  of  its  members 
by  serving  as  unbiased  and  trusted  advisors  to  each  other,  and  by  advancing  the 
CIO  role  and  profession.  In  just  two  years,  more  than  300  CIOs  worldwide  from  various 
sectors  and  industries  have  identified  with  the  Council's  vision  and  committed  to  assist 
each  other,  cultivate  their  own  careers  and  those  of  their  team,  and  advance  the  role  of  the 
CIO.  To  inquire  about  membership,  visit  www.cioexecutivecouncil.com. 


Founded  by 


Business 

Technology 

Leadership 


Cover  Story  |  Infrastructure 


years  even  though  his  company  has  been  involved  in  a  number 
of  acquisitions  during  that  time. 

“It  requires  standard  processes  to  do  real  consolidation,” 
advises  KPMG’s  Bell.  So  any  infrastructure  rationalization  needs 
to  start  with  understanding  the  underlying  business  and  IT  pro¬ 
cesses,  making  them  efficient,  then  adjusting  the  infrastructure 
to  support  them.  Part  of  that  effort  includes  rethinking  the  ser¬ 
vice  levels  IT  provides  to  the  business,  says  McKinsey’s  Kaplan. 
“Do  you  need  24/7  support  for  all  applications?”  he  asks.  “Do 


“Old  stuff  is  evil.  Every  asset 
needs  to  have  a  set  life.  ” 

—  United  Technologies  CIO  John  Doucette 


you  need  disaster  recovery  for  all  applications?”  Service  levels 
should  reflect  business  criticality,  since  achieving  high  service 
levels  adds  significant  labor  and  technology  costs.  “You  have  to 
show  [business  departments]  what  they  can  live  with— service 
is  really  a  level  of  gray,”  says  Khris  Hruska,  technology  director 
at  child-care  and  education  provider  Learning  Care  Group.  To 
do  that,  Hruska  worked  closely  with  business  managers  to  help 
them  understand  what  service  levels  they  really  needed.  Then  he 
tuned  his  resources  accordingly. 

1.  Don’t  Keep  Multiple  Systems  One  way  Balboni  has 
kept  costs  down  is  by  not  keeping  acquired  companies’  IT  infra¬ 
structures.  That  allows  efficient  usage  of  technology  and  staff 
while  also  ensuring  that  the  business  has  a  unified  view  of  its 
customers  and  operations.  “You  don’t  want  to  serve  the  customer 
out  of  two  systems,”  he  says. 

“You  have  to  have  the  same  system,”  agrees  John  Williams, 
CIO  at  retailer  Party  America,  which  has  grown  from  36  stores  to 
300  in  three  years  through  a  series  of  mergers  and  acquisitions. 
During  that  time,  his  IT  staff  only  doubled  from  six  to  13,  thanks 
to  enforcing  the  same  point-of-sales  and  back-end  systems  on 
all  the  acquired  entities.  “Every  time  you  have  a  merger,  you’re 
at  a  crossroads.  Do  you  go  with  theirs,  or 
do  you  go  with  ours?”  he  says.  At  Party 
America,  Williams  went  with  his.  It 
wasn’t  a  question  of  which  technology 
was  better— both  his  Oracle-on-Linux 
environment  and  the  acquired  compa¬ 
nies’  AS/400  environments  could  do 
the  job.  It  was  a  question  of  what  skills 
his  IT  staff  had.  They  knew  the  Oracle- 
on-Linux  environment.  Williams  is  also 
reducing  the  number  of  broadband  pro¬ 
viders  to  his  stores  to  make  vendor  man¬ 
agement  and  support  easier. 

It’s  not  just  companies  dealing  with 
mergers  and  acquisitions  that  can  take 


Cutting  Costs  to  Fuel  Innovation 


Join  a  WEB  TELECONFERENCE  July  18  from  3 
p.m.  to  4  p.m.  hosted  by  PharMerica  CIO  Rich¬ 
ard  Toole  to  learn  how  PharMerica  cut  IT  fixed 
costs  and  how  Toole  retained  and  redirected  that 
money  to  fund  innovation.  This  teleconference 
will  delve  deeper  into  the  issues  raised  in  "Trim¬ 
ming  for  Dollars.”  Toole,  a  board  member  of  the 
CIO  Executive  Council,  will  also  present  findings 
of  the  Council’s  recent  member  poll  on  where  and 
how  much  CIOs  are  cutting  in  2006  and  2007. 
This  CIO  Executive  Council  call  is  open  to  all  IT 
practitioners  from  the  CIO  and  CIO.com  reader- 
ship.  Register  today  at  www.cioexecutivecouncil. 
com/public/teleconferences. 
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advantage  of  platform  reduction.  For  example,  ADP’s  Bongiorno 
expects  ADP  to  save  $50  million  per  year  by  consolidating  30 
data  centers  into  two  by  2009.  The  company  had  been  decentral¬ 
ized,  with  separate  IT  operations  at  each  customer  center.  Cen¬ 
tralizing  the  operations  not  only  will  reduce  IT  staff  but  also  will 
allow  higher  utilization  of  equipment.  “The  biggest  piece  has  been 
around  getting  more  clients  on  a  server,”  says  Bongiorno.  Doing  so 
reduces  labor,  licensing  and  hardware  costs. 

2.  Routinize  the  Routine  The  easiest  way  to  save  is  to 
invest  fewer  resources  in  repetitive,  predictable 
tasks,  since  labor  is  usually  the  largest  cost  in  any 
IT  organization  (typically  half  the  budget,  says 
McKinsey’s  Kaplan).  There  are  several  ways  to 
reduce  that  labor  cost:  automation,  simplification 
and  outsourcing.  Often,  companies  employ  a  com¬ 
bination  of  these  tactics. 

Outsourcing  can  save  money,  but  not  always.  “A 
lot  of  companies  don’t  know  the  cost  of  a  service 
before  they  outsource  it,”  says  AMR’s  Gaughan,  so  they  don’t 
know  if  their  actual  costs  have  gone  up  or  down.  For  outsourc¬ 
ing  to  be  effective,  “you  need  to  think  through  the  control  issues 
up  front  so  you  have  the  ability  to  hold  them  accountable,”  says 
Bowe  Bell  &  Howell’s  Ridge.  “You  need  a  higher  degree  of  process 
management  when  you  offshore,”  adds  Kaplan. 

CIOs  should  approach  outsourcing  in  a  nuanced  way.  For 
example,  Bowe  Bell  &  Howell  found  it  cheaper  to  outsource  desk¬ 
top  support  and  SAP  hosting  than  to  maintain  its  own  staff  and 
IT  infrastructure  for  these  tasks.  But  it  manages  its  telecommu¬ 
nications  systems  because  it  doesn’t  want  to  take  any  risks  with 
the  customer  data  that  telecom  brings  in.  Ridge  notes.  ADP  has 
hired  cheap  staff  in  India  and  Brazil  to  code  its  applications,  while 
retaining  the  higher-skill  project  management  and  development 
staff  in  the  United  States,  says  CIO  Bongiorno.  And  ThyssenKrupp 
saved  by  outsourcing  its  mainframe  and  AS/400  operations,  but 
it  also  saved  by  firing  its  network  management  outsourcer  and 
bringing  those  operations  back  inside  the  company. 

On  the  technology  front,  CIOs  are  often  pitched  automation 
systems  and  virtualization  as  ways  to  gain  labor  efficiencies. 
Both  are  new  technologies  and  thus  tend  to  come  from  startup 

providers  focusing  on  one  aspect  of  IT, 
says  AMR’s  Gaughan. 

At  International  Paper,  “we  work  a  lot 
on  automation,”  says  Mark  Snyder,  the 
senior  manager  for  connectivity  solu¬ 
tions.  But  some  of  that  effort  has  involved 
developing  its  own  monitoring  tools  to 
ensure  they  map  to  the  company’s  spe¬ 
cific  processes. 

Virtualization  technology  saves  labor 
by  simplifying  the  provisioning  of  serv¬ 
ers,  making  it  a  software  operation 
rather  than  a  hardware  setup  task.  Vir¬ 
tualization  also  promises  to  use  more  of 
your  existing  server  resources,  reducing 
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the  need  for  additional  hardware.  It  does 
that  by  treating  the  hardware  as  a  pool  of 
computation  and  storage.  So  if  an  appli¬ 
cation  needs  just  half  a  server’s  capacity, 
the  other  half  can  be  allocated  to  another 
application  rather  than  sitting  idle.  But 
because  virtualization  is  a  new  technol¬ 
ogy,  it  requires  a  more  highly  skilled  staff 
to  manage  and  can  require  additional 
overhead  to  maintain  the  load  balanc¬ 
ing,  says  Gaughan,  adding,  “That  should 
decrease  over  time.” 

3.  Shift  to  Cheaper  Equipment 
and  Services  The  rise  of  standards- 
based  platforms  has  helped  lower  tech¬ 
nology  costs,  and  CIOs  should  take 
advantage  of  that.  That’s  why,  as  part 
of  his  data  center  consolidation  effort, 
ADP’s  Bongiorno  is  replacing  expensive 
proprietary  servers  with  cheaper  stan- 
dards-based  ones.  Similarly,  when  it 
was  time  for  a  technology  refresh,  Thys- 
senKrupp  replaced  its  Cisco  network¬ 
ing  equipment  with  Adtran  hardware 
because  of  a  significant  cost  difference. 
And  Crye  Leike  has  shifted  from  install¬ 
ing  dedicated  T1  and  DS3  data  circuits 
at  its  new  offices  (it  opens  several  each 
month  on  average)  to  using  cheaper  DSL 
connections  secured  through  virtual  pri¬ 
vate  networks,  says  CIO  Sodhi. 

4.  Only  Pay  for  What  You  Use 

An  easy  way  to  save  money,  says  AMR’s 
Gaughan,  is  to  know  what  you  have. 
“Often,  companies  have  more  licenses  than 
they  need,”  he  says,  because  they  manage 
licenses  manually  and  sometimes  they 
lose  track.  “You  won’t  get  your  [license] 
money  back,  but  you  might  be  able  to  stop 
paying  for  maintenance”  on  those  unused 
licenses,  he  suggests.  PharMerica’s  Toole 
even  got  rebates  for  some  leased  equip¬ 
ment  after  his  inventory  revealed  he  was 
paying  for  equipment  he  was  not  using. 

There  are  tools  for  asset  management, 
but  they  tend  to  be  fairly  manual  and  lots 
of  IT  groups  that  use  them  still  lose  track. 
Providers  include  Absolute  Software, 
Alloy  Software,  IBS,  Computer  Associ¬ 
ates  and  Novell. 

5.  Broom  that  Closet  Perhaps  the 
most  neglected  cost-savings  opportunity 
is  junking  old  equipment  and  software. 
Companies  often  leave  old  applications 


running  or  use  older  hardware  as  hand- 
me-downs  for  noncritical  use,  such  as 
archival  storage  or  departmental  file  serv¬ 
ers.  That’s  a  mistake,  as  it  just  adds  more 
stuff  to  manage,  thereby  driving  up  infra¬ 
structure  and  support  costs.  “Old  stuff  is 
evil,”  says  United  Technology’s  Doucette. 
“Every  asset  needs  to  have  a  set  life.” 

An  added  plus  is  that  getting  rid  of  old 
stuff  makes  room  for  new  stuff.  For  exam¬ 
ple,  The  Options  Clearing  Corp.  replaces 
its  Solaris  servers  every  three  to  five  years 
with  new  models  that  have  two  or  three 
times  the  previous  capacity,  typically  for 
the  same  price.  That  strategy  keeps  the 
number  of  boxes  to  manage  low,  even  as 
processing  demands  increase,  says  Scott 
Everhart,  the  company’s  first  vice  presi¬ 
dent  of  technology  services. 

The  Best  Cutting 
Enables  Innovation 

To  reduce  costs  in  a  way  that  supports 
the  business  strategy  requires  align¬ 
ing  IT  costs  to  the  value  of  the  services 
they  provide,  says  Forrester’s  Cullen. 
“The  solution  to  the  CIO’s  problem  is  not 
something  he  buys  from  his  vendor,”  he 
says.  “People  and  processes  are  the  big 
issues.” 

The  CIO  should  not  expect  to  retain  all 
the  money  he  saves  his  organization,  but 
routinely  gaining  efficiencies  “builds  cred¬ 
ibility  with  the  CFO,  COO  and  the  board,” 
says  The  Options  Clearing  Corp.’s  Von 
Stein.  “So  we  get  more  latitude  in  getting  a 
‘yes.’”  At  Crye  Leike,  CIO  Sodhi  has  a  seat 
at  the  management  table,  “so  I  have  a  say  in 
how  we  will  use  some  of  the  savings.” 

By  having  management  trust  and  con¬ 
tinually  demonstrating  a  commitment  to 
efficiency,  some  CIOs  get  a  discretionary 
innovation  budget.  PharMerica’s  Toole 
has  such  a  budget,  and  so  does  ADP’s 
Bongiorno,  who  gets  to  keep  any  savings 
beyond  a  set  target.  “The  only  way  we’re 
going  to  get  more  for  IT  is  for  us  to  find 
the  savings,”  he  says. 

And  that’s  just  fine  with  him.  ram 


Galen  Gruman  is  a  freelancer  who  writes 
frequently  on  technology.  E-mail  feedback  to 
drosenbaum@cio.com. 
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Access  a  new  IDG  Web  site 
providing  I.T.  executives 
with  exclusive  IDG  and  IDC 
Insights  into  optimization 
and  strategies  to  tame 
growing  I.T.  complexities 
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d  Days  from  Now- 

A  rival  programmer  from 
your  college  days  hacks 
the  security  code  you 
wrote  for  your  company's 
customer  database. 


9  Days  from  Now: 

The  company  notices  the 
breach.  As  low  man  on 
the  totem  pole  and  wiriter 
of  the  code,  you  take  the 
blame,  and  lose  your  job. 


3  Months  from  Now: 

The  hacker  publishes  a  book  on 
how  he  pulled  off  the  great  hack. 
The  book  makes  millions. 


4  Months  from  Now: 

The  hacker  is  hired  at  your 
old  company  as  security  chief  , 
at  30  times  what  you  made. 


5  Months  from  Now: 

Vou  move  out  of  your  nice 
two-bedroom  condo,  and  back 
to  your  mother's  basement. 
Where  you  spend  many  nights 
plotting  your  revenge. 


FOLLOWthe  LEADERS 

Honoring  the  CIOs  of  the  future 
and  the  IT  leaders  of  today 


What  is  leadership?  That  question  and 
its  companion— How  best  to  lead?— must 
be  answered  by  CIOs  as  they  prepare  the 
next  generation  of  IT  leaders. 

We  all  know  leadership  when  we  see  it. 
And  we  can  easily  note  its  absence. 

But  separating  leadership  into  its  con¬ 
stituent  elements  isn’t  so  simple. 

What  we  know  for  certain  is  that  leader¬ 
ship  development  is  an  imperative.  CIOs 
need  leaders  in  the  ranks.  Otherwise,  the 
job  becomes  impossible.  And  the  most 
successful  CIOs  take  an  active  role  in  culti¬ 
vating  leaders.  So  the  2006  Ones  to  Watch 
award  not  only  honors  the  20  men  and 
women  who  have  shown  the  judging  panel 
that  they  have  what  it  takes  to  be  tomor¬ 
row’s  CIOs,  the  awards  are  also  an  acknowl¬ 
edgement  of  the  personal  commitment  to 
fostering  talent  shown  by  their  CIOs. 

And  when  it  comes  to  leadership 
development,  never  underestimate  the 
power  of  getting  personally  involved.  A 
CIO  poll  of  this  year's  winners  found  that 
63  percent  described  their  own  CIO  as 
being  "extremely  committed”  to  devel¬ 
oping  internal  IT  leaders  (to  see  the  full 
results  of  the  Ones  to  Watch  Survey,  go 
to  www.cio.com/awards/otw/2006/ 
otw2006survey.pdf). 

Still,  aspiring  minds  wantto  know: 
How  do  you  become  a  person  others  want 
to  follow? 

Start  by  being  yourself,  say  CIOs,  some 


of  whom  share  the  secrets  of  their  own 
leadership  success  in  “The  Right  Stuff” 
(Page  46).  Play  to  your  strengths.  If 
you’re  a  hands-on  person,  be  a  hands-on 
leader.  If  you’re  not  a  rah-rah  type,  don’t 
try  to  fake  it.  Find  another  way  to  inspire 
the  troops.  Most  importantly,  says  Mari¬ 
lyn  Delmont,  CIO  for  the  city  of  Chandler, 
Ariz.,  stay  true  to  yourself.  "Don't  jeopar¬ 
dize  your  principles,"  she  says,  because 
that's  what  defines  you  in  the  eyes  of 
others. 

All  the  Ones  to  Watch  honorees  excel 
at  leadership.  But  this  year,  we  drilled 
deeper  to  try  to  understand  which  lead¬ 
ership  skills  they  deemed  most  critical 
to  their  success.  The  winners  say  that 
change  management  (65  percent),  rela¬ 
tionship  building  (55  percent),  business 
strategy  (45  percent),  driving  innovation 
(40  percent)  and  project  management 
(40  percent)  were  “extremely  impor¬ 
tant”  in  their  rise  to  the  top.  To  recognize 
these  key  components  of  well-rounded 
leadership  and  to  honorthe  individuals 
who  exemplify  them,  CIO  has  created 
the  Ones  to  Watch  Standout  awards. 

We  introduce  this  new  award  in  “Mas¬ 
ter  Class"  (Page  56)  and  profile  five 
standouts  from  this  year’s  crop  of  Ones 
to  Watch  winners  who  have  mastered 
these  skills.  We  examine  the  demands 
each  of  these  winners  faced  within  their 
company  and  explore  how  they  applied 
their  special  talent  to  resolving  a  prob¬ 
lem  or  confronting  a  challenge. 

Congratulations  to  all  our  winners 
and  to  the  CIOs  who  first  nurtured  and 
then  nominated  them.  And  just  in  case 
you  were  wondering  about  our  abil¬ 
ity  to  spot  a  winner,  we’ve  already  had 
our  first  member  of  the  Ones  to  Watch 
Class  of  2005  graduate  to  the  next  level: 
Kudos  to  Darren  Dworkin,  now  the  CIO 
of  Cedars-Sinai  Hospital  in  Los  Angeles 
(“Making  It,”  Page  48). 

See  you  all  at  the  top. 


sgelston@cio.com 
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What  does  it  take  to  make  the  leadership  leap? 
Do  you  have  what  it  takes? 

BY  BEN  WORTHEN 


Reader  ROI 

::  CIOs  on  the  critical  elements 
of  leadership 

::  Cultivating  your  leadership 
skills  and  your  staff's 

::  What  to  look  for  in  a  protege 


Jeff  Chasney  is  a  success.  He  started  his  career  as  an  entry-level  programmer,  steadily 
rose  through  the  ranks,  and  before  long  he  was  leading  IT  departments.  “You  have  to 
be  the  expert  at  everything,”  says  Chasney,  executive  vice  president  of  strategic  plan¬ 
ning  and  CIO  for  CKE  Restaurants,  whose  brands  include  Hardee’s,  La  Salsa  and 
Carl’s  Jr.  “I  can  gut-check  every  aspect  of  my  IT  department.”  So  can  Tom  Lindblom, 
CKE’s  VP  and  CTO,  and  one  of  this  year’s  Ones  to  Watch  winners.  In  fact,  it’s  why 
Chasney  nominated  Lindblom. 

So  there  you  have  it.  Hone  your  skills  until  you  can  do  every  IT  job  with  your  eyes 
closed,  and  you’ll  get  a  one-way  ticket  to  the  executive  suite.  Everyone  agrees,  right? 

Not  quite. 

“I’m  a  lousy  programmer,”  says  Charles  Church,  CIO  of  the  Preparedness  Direc¬ 
torate  at  the  Department  of  Homeland  Security.  “But  it  isn’t  about  being  an  expert.  It 
is  about  setting  up  an  environment  where  people  can  be  successful.  My  leadership 
style  is  to  focus  on  recruiting  and  process  and  then  get  out  of  the  way  and  let  my 
people  operate.  And  it  has  ended  up  being  very  successful.” 

Chasney’s  and  Church’s  leadership  approaches  couldn’t  be  more  different.  Yet 
both  men  have  not  only  reached  the  top  of  their  profession,  they’ve  managed  to 
thrive  there.  How  is  that  possible? 
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Any  go-getter  can  solve 
a  technology  problem. 

To  lead  means  factoring  in 
the  human  side,  according 

to  Jeff  Chasney,  CIO 

of  CKE  Restaurants. 
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Leadership  Development 


“The  idea  that  leadership  style  makes  a  suc¬ 
cessful  CIO  is  total  b.s.,”  says  J.B.  Kassarjian, 
professor  of  management  and  organizational 
behavior  at  the  FW.  Olin  Graduate  School  of 
Business  at  Babson  College.  “There  are  as  many 
different  styles  as  there  are  effective  CIOs.” 

Knowing  what  style  best  suits  you,  and  stay¬ 
ing  true  to  it  is  essential  whether  you  are  already 
a  CIO  or  working  your  way  up  the  ladder.  If  you 
are  a  hands-on  person,  be  a  hands-on  manager. 
If  you  are  naturally  enthusiastic,  use  that  enthu¬ 
siasm  to  motivate  the  troops.  And  if  you  are  a 
quiet  strategist,  don’t  try  to  manufacture  false 
rah-rah;  focus  on  strategy  instead. 

“You  need  to  do  what  fits  your  hand,”  says 
Kassarjian. 

Every  CIO  needs  to  find  his  or  her  own  lead¬ 
ership  style.  But  getting  to  the  top  also  requires 
the  ability  to  recognize  and  capitalize  on  oppor¬ 
tunities  to  hone  what  you’ve  learned,  say  the 
CIOs  who  nominated  the  winners  of  the  2006 
Ones  to  Watch  awards,  which  honor  senior  staff 
poised  to  become  tomorrow’s  CIOs. 

There  is  only  one  hard  and  true  require¬ 
ment:  You  must  understand  the  business.  “The 
CIO  role  is  all  about  seeing  IT  issues  as  business 
issues,”  says  Darren  Dworkin,  a  2005  Ones  to 
Watch  winner  who  became  CIO  of  Cedars-Sinai 
Hospital  in  Los  Angeles  last  January  (see  “Mak¬ 
ing  It,”  this  page).  After  that,  say  those  who’ve 
made  the  leap,  it’s  about  having  the  self-aware¬ 
ness  to  know  your  weaknesses,  the  humility  to 
understand  an  important  lesson  and  the  self¬ 
assuredness  to  take  advantage  of  an  opportu¬ 
nity.  On  the  road  to  becoming  a  CIO  you  need 
to  learn  the  right  way  to  get  noticed,  to  listen  to 
advice  and  to  be  patient. 

Being  energetic  doesn’t  hurt,  either.  “You 
can’t  be  in  second  gear  all  the  time  and  be 
much  of  a  leader,”  says  Pulitzer  Prize  winning 
historian  David  McCullough,  who  gave  the 
keynote  address  at  the  CIO  Leadership  Con¬ 
ference  in  May. 

In  fact,  the  only  innate  quality  a  budding 
leader  needs  is  a  willingness  to  learn.  “Don’t 
try  to  be  Jack  Welch  or  Louis  Gerstner,”  says 
Kassarjian.  “The  answer  is  in  you.” 


Be  a  Businessperson 

Regardless  of  your  leadership  style,  there  is 
one  thing  that  everyone  agrees  on:  CIOs  should 
be  good  businesspeople.  You  need  that  second 
mind-set  to  reach  the  top.  “You  can  be  brilliant 


Making  It 

One  winner  on  what  it’s  really  like  to  be  CIO 


Darren  Dworkin, 

former  Ones  to  Watch  winner, 
now  CIO  of  Cedars-Sinai  Hospital 


What  a  difference  a  year  makes.  Last  July, 
Darren  Dworkin  was  CTO  at  Boston  Medical 
Center  (BMC)  and  a  freshly  minted  Ones 
to  Watch  winner.  Today,  he’s  CIO  at  Cedars- 
Sinai  Hospital  in  Los  Angeles. 

Those  who  knew  him  then  were  not 
surprised  by  his  meteoric  rise.  Dworkin’s 
intelligence  and  willingness  to  learn  quickly 
won  the  attention  of  his  superiors  at  BMC, 
where  he  worked  for  five  years.  “Darren  was 
incredibly  energetic  and  confident,”  says 
his  former  manager,  BMC  CIO  Meg  Aranow. 
“The  things  he  needed  to  add  [to  round  out 
his  leadership  abilities]  were  political  and 
people  skills." 

And  during  his  tenure  at  BMC  he 
acquired  those  skills,  in  part  by  consis¬ 
tently  setting  stretch  goals  for  his  team 
and  inspiring  his  staff  to  achieve  them. 
Dworkin’s  nomination  for  the  2005  Ones  to  Watch  award  was  in  large  part  a  formal 
recognition  that  he  was  ready  to  take  the  next  step. 

The  35-year-old  Dworkin  caught  CIO's  eye  for  his  ability  to  use  IT  to  solve  prob¬ 
lems  unique  to  hospitals,  including  a  bed  monitoring  system  and  a  remote-access 
portal  that  lets  clinicians  treat  patients  regardless  of  location.  Evidently,  Dworkin 
also  caught  the  eye  of  recruiters. 

In  January,  he  accepted  the  CIO  position  at  Cedars-Sinai,  one  of  the  largest  non¬ 
profit  hospitals  in  the  Western  United  States.  One  of  his  primary  responsibilities 
there  is  to  install  an  electronic  medical  records  system.  It’s  the  sort  of  project  that 
the  energetic  and  confident  Dworkin  would  like  to  just  charge  ahead  with.  But  one  of 
the  lessons  he  learned  in  his  rise  to  CIO  is  this:  He  needs  to  be  patient,  involve  users 
in  the  selection  process  and  cultivate  user  support.  Patience  doesn't  come  naturally 
for  Dworkin— it  was  the  leadership  quality  he  had  to  work  on  the  most  at  BMC.  "It  is 
not  a  hard  skill  to  learn,”  he  says.  "I  just  need  to  keep  reminding  myself  to  do  it.” 

As  for  his  first  impression  of  life  as  a  CIO?  "You  always  think  that  the  position 
above  you  has  more  power  than  it  actually  does,”  he  says.  That  said,  he  acknowl¬ 
edges  that  the  stakes  area  lot  higher  for  a  CIO.  “It  is  easier  to  take  a  risk  when  you 
are  the  number  two,”  he  says.  “On  your  way  up  it  is  equally  important  to  gain  lessons 
from  successes  and  failures.”  Now,  as  CIO,  he  doesn’t  have  the  same  luxury  to  fail. 

The  CIO  role  is  more  strategic  than  the  _ 

number-two  role.  This  wasn’t  a  huge  surprise— 

Dworkin  has  noted  throughout  his  career  that 
the  lower  you  are  the  more  tactical  your  role 
is— but,  again,  it  magnifies  the  consequences 
of  success  or  failure.  And  he  has  to  count  on  the 
tactical  people  to  execute  his  strategy  in  a  way 
he  never  has  before. 

“I  try  to  be  inspirational,  but  ultimately  I’ll  succeed  or  fail  based  on  the  people 
I  have  working  for  me,"  he  says. 

-B.W. 


Catch  a  Rising  Star 


For  a  look  at  the  accomplishments 
of  Darren  Dworkin  and  other  2005 
Ones  to  Watch  winners,  visit 

www.cio.com/archive/071505/ 

otw_guide.html. 

cio.com 


PHOTO  BY  ASA  MATHAT 
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“The  last  time  this  many  revolutionary 
^thinkers  gathered  in  Boston 
the  world  changed  forever 


Change  the  way  ypur  enterprise 
bethinks  about  security.. .register  today! 

4  '  iKllMi  i  mu _  '  ■  ■  ' 


Effective  security  management  has  become  a  critical  factor  in  the 
success  or  failure  of  an  organization.  To  help  you  develop  a  clear 
path  to  success,  IDG  invites  you  to  attend  The  Security 
Standard— an  exclusive  conference  detailing  the  most  effective 
strategies  to  transform  security  into  a  true  competitive  advantage. 

Hosted  by  Bob  Bragdon,  Publisher,  CSO  and  John  Gallant, 
President  &  Editorial  Director,  Network  World,  and  featuring  a 
visionary  keynote  from  John  Chambers,  CEO,  Cisco  Systems,  this 
conference  will  provide  you  with  real  world  insights  from  top  CIOs, 
CSOs  and  enterprise  security  experts. 


THE 

SECURITY 

STANDARD™ 

The  Security  of  Business. 

The  Business  of  Security.™ 


Principal  Sponsors 
Cisco  Systems 


Microsoft 


Platinum  Sponsor 


inteD 


Register  by  July  28  and  save  $400 

Online  at:  http://www.networkworld.com/CIOA2 
Or  Call:  1-800-643-4668 

Hynes  Convention  Center,  September  6-7,  2006 
Boston,  Massachusetts 


Gold  Sponsors 

altiris  ArcSi?hf£  0b,gF,x  ^ 


Entrust 


Lancope  nC  i  rc  I  g 

1  Proactive  Network  Security 


Qualvs 


(TREND 

'MICRO 


Webseiuse 
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- 

Sponsorship  opportunities  are  still  available  contact  Andrea  D'Amato  at  508-490-6520  or  adamato@nww.com  for  more  information. 


Ones  to  Watch 


Leadership  Development 


•  J  ? 
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Leadership  is  about  setting  up 
an  environment  for  success,  says 

Charles  Church,  CIO  of  the 

Preparedness  Directorate  at  the 
Department  of  Homeland  Security. 


with  technology,”  says  Eileen  McDargh,  a 
leadership  author  and  consultant,  “but  you 
are  going  to  lose  if  you  can’t  figure  out  how 
to  communicate  in  a  way  that  people  under¬ 
stand  and  that  makes  them  feel  you  know 
their  concerns.” 

Art  Lofton,  VP  and  CIO  of  Northrop 
Grumman  Integrated  Systems  Sector,  got 
his  position  because  he  was  a  business- 
person.  Literally.  Lofton’s  current  job  is  his 
first  in  IT.  He  has  been  at  Northrop  Grum¬ 
man  for  16  years,  all  in  project  management 
and  engineering.  Over  the  past  few  years, 
he  began  to  notice  how  pervasive  IT  was  at 
Northrop  Grumman  and  realized  that  suc¬ 
cessful  leaders  would  be  those  who  could 
figure  out  how  to  leverage  IT  “to  help  the 
business,”  he  says.  Since  Northrop  Grum¬ 
man  was  looking  for  a  businessperson  to  fill 
the  CIO  role,  Lofton,  who  doesn’t  program 
or  have  any  other  stereotypical  IT  skills, 
got  the  nod.  He  does  have  a  rich  technical 
background— he  is  an  engineer  by  train¬ 
ing— but  he  says  it  was  his  project  manage¬ 
ment  skills  and  the  credibility  he  has  earned 
with  his  customers  that  got  him  the  job.  He 
recognizes  the  same  aptitudes  in  his  Ones 
to  Watch  winner,  Alex  Seefried,  IT  program 
director  for  Northrop  Grumman’s  Airborne 
Early  Warning  &  Early  Warning  Systems 
division. 

IT  staff  who  aspire  to  the  CIO  position 
need  to  demonstrate  that  they  are  business- 
people  too.  Marilyn  Delmont,  CIO  for  the  City 
of  Chandler,  Ariz.,  says  that  her  ability  to  com¬ 
municate  the  business  value  of  IT  projects  has 
helped  her  stand  out  her  whole  career.  “I  was 
always  the  liaison,  since  I  could  do  techno¬ 
talk  to  the  IT  people  and  business-talk  to  the 
customer,”  she  says.  “I  had  a  manager  tell  me 
he  wanted  to  get  me  more  exposure  because 
of  it,  and  I  got  special  assignments.” 

The  lesson  from  this  early  experience 
stayed  with  her;  one  of  the  best  pieces  of 
advice  she  offers  aspiring  CIOs  is  to  learn 
to  use  easy-to-understand  analogies  to 
explain  complicated  technology  concepts 
(if  you  need  to  buy  more  bandwidth,  for 
example,  say  that  roads  with  more  lanes 
can  carry  more  cars).  And  as  Delmont  took 
on  new  jobs  with  more  responsibility,  she 
was  always  careful  to  emphasize  the  busi¬ 
ness  problem  she  was  using  IT  to  solve. 
It’s  a  quality  she  shares  with  her  Ones  to 


Watch  winner  Tyrone  Howard,  the  city’s 
project  management  office  manager. 

“I  really  don’t  want  to  be  seen  as  a  tech¬ 
nologist,”  she  says.  “I  want  to  be  seen  as  a 
senior-level  executive  partner.” 

Be  a  Learning  Machine 

Understanding  how  an  IT  project  addresses 
a  business  problem  is  a  start.  A  true  busi¬ 
nessperson  is  familiar  with  all  the  admin¬ 
istrative  aspects  of  running  a  department. 
When  Delmont  was  a  senior  IT  manager  at 
Amoco,  she  knew  that  a  lack  of  traditional 
business  skills  held  her  back  from  reaching 
the  executive  level.  For  example,  Delmont 
knew  she  didn’t  have  the  real-world  budget¬ 
ing  skills  a  CIO  needs.  Rather  than  take  on  a 
budgeting  project  at  work  and  learn  on  the 
job,  she  volunteered  to  work  on  the  finance 
board  of  Empower,  a  local  nonprofit  that 
helped  mentor  pregnant  teens.  Both  her 
boss  and  her  staff  wondered  why  she  didn’t 


serve  on  a  technology-related  committee. 
But  she  knew  that  to  move  up  she  needed 
to  understand  budgeting,  putting  together 
a  business  case  and  calculating  return  on 
investment. 

“I  got  to  practice,”  Delmont  says.  In  fact, 
she  had  the  opportunity  to  work  directly 
with  the  chair  of  the  committee,  who  was  a 
finance  specialist.  “I  tell  my  managers  today 
that  they  should  learn  something  different,” 
she  says.  “And  I  recommend  that  they  find  a 
committee  to  be  on.” 

New  jobs  were  the  places  to  learn  supple¬ 
mentary  skills  for  Church,  the  Homeland 
Security  CIO.  He  had  work  experience  in 
project  marketing  and  management  before 
becoming  a  CIO.  “The  product  you  are  selling 
is  yourself,”  says  Church.  So  it  helps  to  make 
that  product  as  multifaceted  as  possible. 

Get  Noticed  (Quietly) 

A  well-rounded  skill  set  gets  attention.  But 
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You  don’t  face  the  same 
project  and  resource 
management  challenges 
as  everyone  else.  So 
why  use  one-size-fits-all 
software? 

Only  Primavera  has  a  complete  range  of  industry-specific, 
collaborative  project,  resource  and  portfolio  management 
solutions  for  your  unique  business  needs.  We’re  currently 
helping  companies  around  the  world  successfully  manage 
their  projects  and  resources,  even  in  the  most  complex 
regulatory  and  compliance  environments.  We  can  help 
you  do  the  same.  Whatever  your  challenges,  you  can  rely 
on  one  name  for  the  right  solution.  And  that’s  Primavera. 

\  PRIMAVERA 


Ones  to  Watch 


Leadership  Development 


the  number-one  thing  that  decision-makers 
who  hire  and  promote  look  for  is  a  success¬ 
ful  track  record.  Future  CIOs  are  those  who 
take  on  extra  responsibility  and  execute  those 
projects  well.  In  fact,  CIOs  say  the  best  way  to 
get  noticed  is  not  to  point  out  the  value  you 
have  added  to  a  company  but  to  do  your  job  so 
well  that  the  results  speak  for  themselves. 

Chasney  of  CKE  says  his  first  job  was  as  a 
coop  programmer  for  Ford.  “I  would  go  home 
and  study  so  that  I  could  work  more  quickly,” 
he  recalls.  Soon  both  the  quality  and  rate  of 
his  work  improved  and  people  started  talking 
about  what  projects  he  could  help  on.  “One 
of  my  colleagues  said  to  me  that  they  were 
all  that  way  early  on  and  that  I  would  settle 
down."  Those  colleagues  never  became  CIOs. 

Throughout  his  career,  Chasney  would  go 
above  and  beyond  to  get  a  job  done.  Even  today, 
no  task  is  too  big  or  too  small.  “I’ll  get  coffee, 
donuts,  whatever  it  takes,”  he  says.  “I  may  be 
the  quarterback,  but  I’m  out  there  blocking.”  He 
looks  for  similar  commitment  in  his  staff  and 
says  that  it  is  necessary  to  reach  the  top. 

You  may  feel  the  need  to  trumpet  how  hard 
you  work,  but  resist  the  temptation— if  the 
end  result  is  good,  the  right  people  will  notice. 
Chasney  has  been  involved  with  IT  systems 
that  were  touted  by  the  development  team  but 
scorned  by  the  intended  users,  whose  reaction  is 
the  measure  of  success  that  matters  most.  “If  the 
customer  raves  about  the  system  and  provides 
testimony  of  such  to  their  peers,  then  a  high  rat¬ 
ing  is  achieved,”  he  says.  “If  you  have  to  explain 
to  someone  why  it  is  a  good  solution,  it  isn’t.” 

DHS’s  Church  says  people  also  notice  when  a 
project  gets  done  quickly.  To  that  end,  he  empha¬ 
sizes  speed.  “It  doesn’t  have  to  be  perfect,”  he 
says.  “It  can  be  a  75  percent  solution.  Just  get  it 
out  there  and  then  modify  it  later.”  That’s  not  to 
say  a  solution  doesn’t  have  to  work.  It  does.  But 
as  long  as  the  core  functionality  is  there,  let  peo¬ 
ple  start  to  use  it.  You  can  always  add  bells  and 
whistles  later.  The  key  is  to  keep  a  steady  focus 
on  the  big  picture  while  still  paying  attention 
to  details.  Such  talent  is  exhibited  by  Church’s 
Ones  to  Watch  winner,  Matt  Coose,  DHS’s  direc¬ 
tor  of  engineering  and  PMO. 


Ask  for  Help 

CIOs  don’t  become  CIOs  without  help.  Thus, 
aspiring  CIOs  need  to  accept  constructive  criti¬ 
cism.  “Wise  leaders  are  willing  to  admit  that  they 


How  to  Make  It 

CIOs  on  what  their  winners  must  do  to  make  the  leap  to  CIO 


Jeff  Chasney,  EVP  of  strategic  planning  and  CIO,  CKE  Restaurants 
What  he  looks  for  in  a  protege:  The  willingness  to  do  whatever 
it  takes  to  get  the  job  done. 

Ones  to  Watch  winner:  Tom  Lindblom,  VP  and  CTO 
Why  I  nominated  him:  Tom  has  over  30  years  of  experience  in 
the  restaurant  industry,  so  he  knows  the  business  inside  out.  And  he  spends  an 
inordinate  amount  of  time  keeping  abreast  of  technology  and  regulatory  changes. 
What  he  needs  to  do  to  become  a  CIO:  “Tom's  avenues  are  to  move  to  another 
company  where  he  can  take  on  such  a  role  or  to  wait  for  me  to  vacate  the  CIO  role 
so  that  he  can  step  into  it.” 


Charles  Church,  CIO,  Preparedness  Directorate,  Department  of 
Homeland  Security 

What  he  looks  for  in  a  protdgd:  Intelligence,  independence, 
and  someone  who  can  bring  structure  to  a  chaotic,  fast-paced 
environment. 

Ones  to  Watch  winner:  Matt  Coose,  director,  engineering  and  PMO 

Why  I  nominated  him:  Matt  is  able  to  see  the  big  picture  while  still  focusing  on  the 

details  needed  to  make  something  a  reality. 

What  he  needs  to  do  to  become  a  CIO:  “Matt  is  ready  to  be  a  CIO  now.  I  am  lucky 
he  chooses  to  contribute  to  improving  our  nation’s  preparedness  posture  as  part 
of  the  Preparedness  Directorate  Information  and  Technology  team.” 


Marilyn  Delmont,  CIO,  City  of  Chandler,  Ariz. 

What  she  looks  for  in  a  protege:  Strong  interpersonal  and 
problem  resolution  skills.  Someone  who  seeks  to  improve  himself. 
The  ability  to  make  tough  decisions. 

Ones  to  Watch  winner:  Tyrone  Howard,  project  management 


office  manager 

Why  I  nominated  him:  Ty  has  the  ability  to  connect  with  people  and  is  always 
open  to  learning  new  things.  He  wants  to  be  the  best  in  whatever  he  does. 

What  he  needs  to  do  to  become  a  CIO:  “More  exposure  and  insight  into  all  of  the 
business  aspects  of  the  city.. .[And]  continue  educating  himself  on  the  role  and 
responsibilities  of  a  CIO." 


Art  Lofton,  VP  &  CIO,  Integrated  Systems  Sector,  Northrop 
Grumman 

What  he  looks  for  in  a  protdgd:  Good  leadership  skills  and  a 
drive  to  achieve  personal  goals. 

Ones  to  Watch  Winner:  Alex  Seefried,  IT  program  director, 
Airborne  Early  Warning  &  Early  Warning  Systems 

Why  I  nominated  him:  Alex  has  the  ability  to  clearly  articulate  a  vision  and  motivate 
his  team  to  achieve  it. 

What  he  needs  to  do  to  become  a  CIO:  "Luck.  He  is  clearly  prepared.  It’s  just  a 
matter  of  opportunity  standing  between  him  and  a  CIO  position.”  -B.W. 
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Leadership  Development 


don’t  know  everything,”  says  McDargh. 

Early  in  his  career  Chasney  had  an 
epiphany.  He  was  always  a  go-getter  who 
could  solve  just  about  any  technology 
problem.  But  he  often  failed  when  it  came 
to  the  human  side  of  a  project.  One  day  his 
manager  pulled  him  aside.  “He  said,  ‘Take 
this  to  heart.  You  run  through  flower  beds.  I 
know  you  won’t  stop  doing  it,  but  make  sure 
you  go  back  and  prop  up  the  flowers.’  That 
resonated,”  says  Chasney. 

Everyone  who  becomes  a  CIO  needs  a 
little  bulldog  in  them.  To  rise  through  the 
ranks  you  must  be  willing  to  do  what  it  takes. 
But  you  don’t  always  get  to  set  the  pace,  so 
one  of  the  skills  you  need  is  the  patience  to 
let  things— -projects,  promotions,  opportuni¬ 
ties,  relationships— develop. 

When  Dworkin,  the  Cedars-Sinai  CIO, 
was  director  of  IT  for  Georgia  Pacific’s 
Canadian  operations,  he  pursued  a  series 
of  process-changing  IT  projects.  He  was  so 
determined  to  get  the  projects  done  that  he 
didn’t  stop  to  make  sure  that  he  had  con¬ 
vinced  all  the  business  users.  “Instead  of 


leading  people,  I  was  pushing  them  toward 
something,”  he  says.  The  changes  didn’t 
take.  “I  needed  to  be  a  lot  more  patient, 
which  isn’t  something  that  comes  natu¬ 
rally  to  me,”  he  reflects. 

Dworkin  learned  his  lesson  but  still 
reminds  himself  to  slow  down.  For  example, 
Cedars-Sinai  is  looking  into  an  electronic 
medical  records  system.  “I’d  like  to  pick  a 
system  and  roll  it  out  this  year,”  he  says.  But 
to  succeed  he  knows  he  needs  to  get  user 
buy-in  and  make  sure  that  his  preparations 
are  thorough. 

Northrop  Grumman’s  Lofton  says  you 
need  patience  when  moving  up.  “You  have 
to  pay  your  dues,”  he  says.  “That  means 
fighting  the  urge  for  instant  gratification.” 
Once,  Lofton  put  in  for  a  promotion  that 
went  to  someone  else.  He  was  disappointed 
but  concluded  that  he  had  reached  for  a 


position  he  wasn’t  ready  for  yet. 

Lofton  also  understood  that  people  were 
watching  to  see  how  he  handled  failure. 
“How  well  you  pull  yourself  up  talks  a  lot 
to  your  character,”  he  says.  The  lost  pro¬ 
motion  taught  him  two  lessons:  First,  there 
will  be  a  right  time  for  everything.  And  sec¬ 
ond,  wait  for  the  opportunity  but  start  pre¬ 
paring  for  it  now.  To  paraphrase  an  adage, 
“Luck  is  just  opportunity  and  preparation 
coming  together,”  he  says. 

Work  Your  Community 

Sometimes  you  need  to  make  your  own 
luck,  however.  Church  is  a  veteran  of  the 
dotcom  bubble.  He’s  been  rich  on  paper 
and  laid  off  more  times  than  he  cares  to 
count.  But  he  landed  on  his  feet,  in  part 
because  he  isn’t  afraid  to  put  himself  out 
there  and  network. 

Before  DHS,  Church  worked  for  four 
companies,  including  successful  technol¬ 
ogy  startups  like  AOL  and  UUNet.  And,  of 
course,  for  some  that  were  less  so.  His  last 


job  before  he  moved  to  government  was  vice 
president  of  managed  services  for  OneSoft. 
By  January  2001  the  company  was  spend¬ 
ing  $4  million  a  month  more  than  it  took  in. 
It  went  into  Chapter  11,  and  Church  needed 
a  new  job.  He  decided  to  look  for  a  govern¬ 
ment  job.  “I  sent  an  e-mail  to  every  CIO  in  the 
federal  government,”  he  says. 

Ron  Miller,  the  deputy  CIO  at  FEMA, 
wrote  back.  Miller  suggested  Church  apply 
for  IT  jobs  at  USAJobs,  the  federal  govern¬ 
ment’s  jobs  site.  Church  landed  a  job  running 
the  computer  network  for  the  Department 
of  the  Treasury,  and  when  DHS  was  created 
in  2003  he  became  one  of  the  CIOs  there. 
He  was  surprised  to  discover  that  his  first 
boss  at  DHS  was  a  former  coworker’s  wife. 
The  experience  made  him  realize  that  since 
the  IT  community  is  small,  it’s  important  to 
maintain  good  relationships.  After  all,  you 


never  know  who  you  might  end  up  work¬ 
ing  for.  “One  of  the  most  important  lessons 
I  learned  from  the  dotcom  world  was  that 
companies  come  and  go  but  people  don’t,” 
says  Church. 

The  Importance  of  Being 
Earnest 

You  may  not  have  to  go  through  four  compa¬ 
nies  like  Church  did,  but  odds  are  you  won’t 
become  a  CIO  at  your  current  employer. 
Most  IT  people  have  to  jump  around  in  order 
to  keep  moving  up.  “Once  you’ve  been  in  an 
organization  for  a  long  time  they  stop  seeing 
you  with  fresh  eyes,”  says  Chandler  CIO  Del- 
mont.  She  avoids  this  trap  by  encouraging 
staff  to  be  creative  and  come  up  with  new 
ideas  that  will  garner  attention.  Yet  even  ris¬ 
ing  stars  can  fall  prey  to  this  dilemma:  Be  too 
good  at  what  you  do  and  your  company  has  a 
disincentive  to  promote  you. 

One  of  the  benefits  of  moving  around  is 
that  you  get  to  learn  how  different  organi¬ 
zations  work.  But  each  new  job  should  be 
chosen  because  it  provides  an  opportunity 
to  hone  a  new  skill  such  as  project  manage¬ 
ment,  says  Chasney.  And  make  sure  you  can 
make  a  measurable  difference  in  a  job. 

Becoming  CIO  is  only  part  of  the  chal¬ 
lenge.  The  days  when  CIO  stood  for  “career 
is  over”  may  be  gone,  but  it’s  important  not  to 
overlook  how  hard  it  is  to  stay  a  CIO.  “Once 
you  have  risen  to  CIO  you  haven’t  arrived, 
you’ve  just  started  a  new  job,”  says  Chasney. 

To  that  end  there  is  one  last  piece  of  wis¬ 
dom  to  consider  when  you  finally  make  it. 
The  best  advice  I  ever  got,  says  Delmont,  was 
“don’t  jeopardize  your  principles,  because 
that  is  what  makes  you.”  (This  advice  has  a 
corollary:  If  you  start  kissing  butt  you  will 
always  kiss  butt.  Delmont  decided  never  to 
kiss  butt.) 

Shakespeare  said  it  best:  “To  thine  own 
self  be  true.”  Don’t  change  who  you  are 
just  because  you  are  now  the  top  dog.  “I’m 
more  mature  now,”  says  Delmont.  “There 
are  times  when  you  have  to  be  tough,  when 
you  have  to  be  bold  and  when  you  have  to 
be  nice.  But  I  didn’t  change.  I  am  basically 
the  same  person.”  rara 


Senior  Writer  Ben  Worthen  can  be  reached  at 
bworthen@cio.com. 


“You  have  to  pay  your  dues. 

That  means  fighting  the  urge 
for  instant  gratification.” 

-Art  Lofton,  CIO,  Northrop  Grumman  Integrated  Systems  Sector 
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What  becomes  a  leader  most?  Take  a  lesson  (or  five)  from  those 
who  possess  the  skills  and  qualities  a  successful  CIO  must  have 


BY  ALLAN  HOLMES 


Innovator.  Team  builder. . 

_  .  . .  Business  strategist. 

Project  driver.  Change  agent. 


Well-rounded  leaders  must  be  all  these  things— and  more— to  succeed  in  today’s  fast- 
paced  business  environment.  After  all,  leadership  is  not  a  static  accomplishment.  And 
neither  are  the  skills  required  to  do  it  well. 

In  fact,  the  capacity  for  agile  leadership  in  the  face  of  shifting  business  challenges  is 
practically  a  job  requirement  for  CIOs,  who  have  been  whipsawed  by  changes  ranging 
from  the  rapid  growth  of  the  dotcom  boom  to  the  need  to  slash  services  and  operate  on 
less  when  the  bubble  burst  and  the  economy  contracted.  “As  a  CIO,  you  need  to  manage 
what  you  have  and  manage  that  portfolio  as  effectively  as  you  can  given  the  resources  you 
have,”  says  Yahoo  CIO  Lars  Rabbe,  a  judge  for  the  Ones  to  Watch  awards. 

What’s  true  for  the  CIO  also  holds  for  those  who  aspire  to  the  title.  During  their  rise 
to  the  top,  all  of  our  Ones  to  Watch  honorees  have  stepped  into  the  part  of  the  business 
strategist,  change  agent,  innovator,  project  driver  or  team  builder  as  the  needs  of  the  busi¬ 
ness  dictated  or  circumstances  demanded. 

But  even  within  this  stellar  group,  there  are  individual  winners  who  truly  shine  at 
playing  one  of  these  roles.  In  recognition  of  this  fact,  CIO  is  introducing  the  Ones  to 
Watch  Standout  awards  to  highlight  the  men  and  women  who  best  exemplify  the  critical 
leadership  criteria  that  help  to  distinguish  successful  CIOs.  Five  of  the  20  Ones  to  Watch 
winners  were  selected  for  this  special  honor  by  CIO,  based  on  a  careful  review  of  their 
applications  and  judging  scores. 


Reader  ROI 

::  Why  leaders  must  change 
with  the  times 

::  Five  criteria  that  character¬ 
ize  successful  CIOs 

::  Action  items  for  each  criteria 


When  the  winds  of  change  blow,  leaders  must  be  able 
to  evolve  to  fit  the  times.  Think  Winston  Churchill  in 
World  War  II  or  New  York  Mayor  Rudy  Giuliani  after 
9/11.  “Leaders  need  to  adapt,”  says  David  Berke,  a  senior 
program  associate  at  the  Center  for  Creative  Leadership. 
As  situations  change,  “different  kinds  of  leaders  emerge 
because  some  people  are  better  at  certain  things.” 
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What  are  the  demands  of  today  that  are  giving  rise  to  the  lead¬ 
ers  of  tomorrow?  Fast  growth  and  global  competition  fuel  the  need 
for  innovation,  according  to  Barbara  Kunkel,  CIO  at  Nixon  Peabody 
and  a  member  of  the  judging  panel.  Kunkel  says  she  seeks  potential 
IT  leaders  who  grasp  how  innovation  can  give  the  law  firm  an  advan¬ 
tage  in  its  highly  competitive  business  sector.  But  innovation,  she 
says,  is  not  necessarily  coming  up  with  whiz-bang  technology  or  sys¬ 
tems.  Sometimes  it’s  the  ability  to  look  at  existing  ideas  or  applica¬ 
tions  and  see  how  they  can  be  used  in  a  fresh  way  in  today’s  systems 
or  business  processes.  “It  can  be  that  simple,”  Kunkel  says. 

As  the  economy  continues  to  grow  and  competition  heats  up, 
so  do  the  business  demands  on  IT.  Technology  departments  must 
deliver  solutions  with  real  value,  and  they  must  deliver  them 
quickly.  That  means  working  closely  with  major  internal  and 
external  stakeholders  to  develop  relationships  and  trust  in  IT,  as 
well  as  with  the  technology  staff  to  keep  workers  energized  and 
focused  on  where  the  business  is  going.  So  team-building  is  high 
on  the  list  of  what  a  future  CIO  needs  in  order  to  get  ahead.  “I  look 
for  high  energy  and  how  the  team  catches  that  energy,”  says  Sue 
Unger,  CIO  at  DaimlerChrysler  and  a  Ones  to  Watch  judge.  “This 
doesn’t  come  across  on  a  resume.” 

Technology  departments  today  must  be  masters  of  handling 
transition  as  companies  struggle  to  gain  competitive  advantage  in 
the  marketplace  by  aligning  the  business  with  IT. 

To  lead  others  in  a  new  direction  or  to  influence 
the  way  people  do  their  jobs  requires  acting  as  an 
agent  of  change.  And  that’s  never  easy.  “You  need 
to  deal  in  facts  and  not  get  caught  up  in  emotion,” 
says  Tom  Murphy,  CIO  of  AmerisourceBergen 
and  nominator  of  one  of  our  Standout  winners. 

Future  IT  leaders  still  rise  or  fall  in  an  organi¬ 
zation  based  on  their  success  in  managing  proj¬ 
ects  and  delivering  results.  Project  management 
is  a  hot  topic  among  CIOs,  who  named  backlogs 
as  their  biggest  hurdle  to  effectiveness  in  CIO’s 
2006  “State  of  the  CIO”  research.  DaimlerChrys- 
ler’s  Unger  brings  along  her  rising  stars  by  start¬ 
ing  them  on  small  IT  projects.  “Very  rarely  do 
you  have  a  diamond  in  the  rough,”  she  says.  “You 
have  to  give  them  small  but  challenging  assign¬ 
ments  that  will  stretch  them  and  direct  them 
where  we  want  the  talent  and  growth.  Then  you 
move  on  to  larger  and  larger  projects.” 

Knowledge  of  business  processes,  strategic 
thinking  and  the  ability  to  communicate  technol¬ 
ogy  initiatives  to  the  top  brass  is  critical  to  success 
in  today’s  executive  suite.  Indeed,  says  Unger,  any 
would-be  CIO  needs  “to  talk  in  business  terms 
and  understand  business  problems  and  how  IT 
can  help  or  hurt  that  problem.” 

A  CIO  lucky  enough  to  possess  an  IT  manager 
with  an  aptitude  for  one  of  these  roles  needs  to 


do  two  things:  help  the  manager  expand  her  repertoire  in  order  to 
round  out  leadership  abilities,  and  harness  such  talent  to  help  IT 
deliver  the  greatest  value  to  the  business. 

“The  important  thing  is  that  these  characteristics  are  aligned 
with  the  business  strategy,”  says  Berke.  “Have  regular  conversa¬ 
tions  with  executives  that  convey  what  you  are  looking  for  [in  a 
leader].  That  way,  you  make  sure  you  are  developing  the  high- 
potential  [individuals]  who  can  succeed.” 

For  a  snapshot  of  what  a  high-potential  business  strategist, 
innovator,  change  agent,  project  driver  and  team  builder  looks 
like,  read  on. 

The  Business  Strategist 

Before  Rick  Broughton  tells  you  about  the  ERP  solution  he  heads 
up  or  the  development  of  the  business  intelligence  platform  he 
oversees,  he  tells  you  what  is  really  important  about  what  he 
does.  “It’s  not  difficult  to  step  back  and  remember  what  we’re  all 
about:  coffee,  donuts  and  ice  cream,”  says  Broughton,  director 
of  IT  strategy  for  Dunkin’  Brands,  and  winner  of  the  Standout: 
Business  Strategist  award.  “That’s  it.” 

Strategizing  about  how  IT  can  deliver  value  to  the  business  in 
the  form  of  higher  sales  or  product  improvements  is  how  Brough- 


Make  it  a  point  to  understand 
the  business  issues, then 
ask  yourself  what  IT  needs  to 
do,  says  Rick  Broughton, 
director  of  IT  strategy  for 
Dunkin’  Brands. 
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ton  spends  his  days  at  Dunkin’  Brands.  “The  business  strategist 
role  within  the  IT  function  is  making  sure  IT  is  aligned  with  the 
business  strategy  and  not  doing  what  is  best  just  in  the  IT  uni¬ 
verse,”  says  Dunkin’  Brands  CFO  Kate  Lavelle.  “Rick  does  a  very 
good  job  of  that.” 

His  talents  are  about  to  be  tested  again.  Dunkin’  Brands  (fran¬ 
chiser  of  Dunkin’  Donuts  and  owner  of  Baskin-Robbins  Ice  Cream 
and  sandwich  chain  Togo’s)  is  preparing  to  launch  a  major  expan¬ 
sion  into  the  Western  United  States.  The  move  is  part  of  a  strategy 
developed  by  new  owners  Thomas  H.  Lee  Partners,  Bain  Capital 
Partners  and  the  Carlyle  Group,  which  purchased  the  company 
for  $2.4  billion  in  March.  The  expansion  means  Broughton  and 
the  IT  department  will  be  called  upon  to  provide  the  best  business 
intelligence  for  the  new  franchisees.  Broughton  will  also  have  to 
ensure  that  the  next  phase  of  the  new  ERP  system  will  tightly  tie 
together  the  burgeoning  enterprise,  creating  efficiencies. 

Broughton  is  up  to  the  task.  He  knows  IT  but  thinks  strategically 
and  talks  like  a  businessperson— skills  he  acquired  during  stints 
in  business  development,  operations,  and  sales  and  marketing. 
Broughton  has  brought  that  mind-set  to  IT.  For  example,  he  cre¬ 
ated  the  business  intelligence  steering  committee,  which  considers 
all  new  products  for  the  company.  The  committee  comprises  busi¬ 
ness  unit  leaders,  the  CFO,  legal  counsel  and  executives  with  field 
experience.  Only  two  technology  staffers— the  IT  project  manager 
and  a  functional  expert— sit  in  when  the  committee  is  consider¬ 


ing  a  new  product  and  how  IT  can  provide  support.  In  the  past, 
IT  would  have  dominated  the  discussion  based  on  data  compiled 
from  the  business  intelligence  systems.  “This  way  IT  is  not  driving 
the  decisions,”  says  Broughton. 

The  process  worked  well  when  the  company  rolled  out  an 
espresso  product  line  in  2004.  Initially,  the  IT  staff  proposed  that 
the  BI  system  measure  average  sales  of  espresso  and  the  number 
of  customers  who  bought  it.  The  business  side,  however,  suggested 
measuring  the  increase  or  decrease  in  sales  of  other  products  when 
customers  purchased  an  espresso.  By  collecting  that  data,  the  com¬ 
pany  could  determine  whether  the  new  drink  was  siphoning  sales 
or  driving  the  purchase  of  complementary  products.  In  fact,  the 
data  showed  it  drove  afternoon  and  evening  traffic  and  drove  food 
sales.  “The  metrics  we  thought  of  would  have  been  fine,”  Brough¬ 
ton  says,  “but  you  don’t  get  the  valuable  metrics  for  the  business 
until  you  consult  the  business  side.” 

Tip:  Learn  the  business  and  be  part  of  it.  Don’t  just  say,  “Here's 
IT  work  that  needs  to  be  done.”  Instead,  ask,  “What  are  the 
business  issues,  and  what  do  we  need  to  do?” 

The  Innovator 

Being  an  innovator  is  not  just  about  coming  up  with  a  unique 
technology  solution.  It’s  also  about  acting  as  a  magnet  for  generat¬ 
ing  new  ideas  that  serve  an  organization’s  business  interests. 

That’s  how  David  Greenberg,  CFO  for  the  George¬ 
town  University  Law  Center,  describes  Pablo  Molina, 
the  center’s  campus  CIO  and  winner  of  the  Standout: 
Innovator  award.  “Pablo  can  pull  people  together  to  gen¬ 
erate  new  ideas  for  the  law  school,”  says  Greenberg,  who 
nominated  Molina.  “He’s  been  a  pioneer.” 

Greenberg  says  it’s  the  creative  use  of  technology 
that  differentiates  the  center  from  the  competition  and 
helps  it  maintain  a  strong  reputation  among  the  nation’s 
top  law  schools.  Molina’s  talent  for  using  technology  in 
innovative  ways  to  enhance  how  students  learn  and  fac¬ 
ulty  teach  creates  a  competitive  advantage  for  the  center 
and  helped  it  increase  the  caliber  of  applicants  seeking 
admission  to  the  program. 

Molina  developed  applications  and  infrastructure 
such  as  distance  learning  programs,  webcasting,  pod¬ 
casting  and  multimedia  services  to  better  support  law 
students  and  faculty.  Greenberg  says  these  programs, 
some  deployed  years  ahead  of  other  universities,  have  led 
to  Georgetown’s  recognition  as  one  of  the  top  15  U.S.  law 
schools  as  ranked  by  U.S.  News  and  World  Report. 

One  of  Molina’s  innovations  was  the  decision  to  set  up 
a  wireless  network  that  was  among  the  first  to  be  imple¬ 
mented  at  a  U.S.  law  school.  The  network,  which  allows 
access  to  the  campus  intranet  and  the  Internet,  has  fos¬ 
tered  greater  interaction  between  faculty  and  students 
and  created  a  strong  sense  of  community  that  potential 
students  are  attracted  to,  Molina  says. 

Working  with  Greenberg  and  senior  administrators, 
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Florida  Guardian  ad  Litem  Saw  the  Future  of  Child  Advocacy. 


Citrix  Provided  Access. 


“Custody  rulings.  Foster  care.  Adoptions.  Our  founding  vision  was  to  give  every  abused 
and  neglected  child  in  Florida  a  strong  advocate  in  court.  Two  years  later,  we’re  well  on 
our  way.  Today,  program  staff,  attorneys  and  over  5,000  volunteers  represent  more 
than  27,000  children.  Instead  of  information  in  file  drawers  scattered  all  over  the  state, 
Citrix  software  gives  advocates  secure  access  to  our  case  management  system  from 
anywhere.  Flesources  are  precious,  so  we  must  apply  them  wisely,  not  waste  time 
chasing  data.  These  kids  depend  on  us.  That’s  why  we’re  depending  on  Citrix  to  take 
us  the  rest  of  the  way  to  advocate  every  Florida  child  in  need.  ” 


JOHNNY  C.  WHITE 

CIO 

Florida  Guardian  ad  Litem  Program 


Access  your  future  today  at 
citrix.com. 
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Leadership  Lessons 


Molina  also  led  the  development  of  e-commerce  initiatives 
at  the  law  center,  including  an  online  admissions  portal  and 
a  website  for  alumni  reunions  and  donations,  news  man¬ 
agement,  and  continuing  education  registration.  These  ini¬ 
tiatives  have  generated  millions  of  dollars  in  revenue  for 
the  school. 

Molina  is  constantly  reading  and  researching  new  tech¬ 
nologies  and  talking  with  students  and  faculty  about  how  to 
deliver  products  and  services  to  meet  their  needs.  “You  have 
to  do  a  lot  of  reading  and  have  a  very  creative  imagination,” 
Molina  says.  “But  to  be  creative,  you  have  to  talk  a  lot  to  your 
constituents  about  what  they  want  and  need.” 

Tip:  Encourage  creative  thinking  and  out-of-the-box 
ideas  by  valuing  those  who  question  traditional  operat¬ 
ing  procedures  and  methods.  This  leads  direct  reports  to 
think  beyond  standard  industry  practices  to  gain  the  stra¬ 
tegic  advantage  of  new  technology  developments. 


The  Change  Agent 

Change  is  difficult  when  you  go  it  alone.  That’s  why  Perry 
Sandberg,  VP  of  portfolio  and  program  management  at 
AmerisourceBergen,  doesn’t  try  to  do  it  by  himself.  Instead, 
the  winner  of  the  Standout:  Change  Agent  award  is  a  master 
at  building  bridges  and  winning  consensus.  When  Sandberg 
arrived  at  the  pharmaceutical  supplier  in  January  2005, 
the  IT  department  was  held  in  low  esteem  by  the  rest  of  the 
$54  billion  company.  There  was  a  backlog  of  more  than  1,800 
projects.  The  technology  staff  received  little  input  from  business 
executives  as  to  which  were  most  important.  IT’s  most  frequent 
answer  to  any  request  for  help  was  “no.”  AmerisourceBergen 
needed  someone  who  could  change  IT’s  bunker  mentality  and  help 
the  department  be  viewed  as  a  partner  in  the  business,  not  as  an 
obstacle.  No  small  feat. 

Such  a  culture-changing  task  needs  complete  buy-in  from  all 
parties.  So  one  of  Sandberg’s  first  acts  upon  arriving  at  Ameri¬ 
sourceBergen  was  the  creation  of  a  critical  program  management 
team,  called  the  Business  Opportunity  Council.  Its  purpose  was  to 


get  business  unit  executives  to  decide  which  IT  projects  are  most 
critical  to  the  company’s  financial  success.  As  a  part  of  that  process, 
the  council  reduced  the  backlog  by  prioritizing  projects  and  bun¬ 
dling  many  together.  For  FY06,  the  council  received  requests  for 
225  projects,  of  which  42  were  approved. 

Sandberg  also  convinced  skeptical  executives  to  sit  down  with 
him  once  a  month  to  discuss  which  projects  could  deliver  the 
greatest  value.  To  win  them  over,  Sandberg  says,  “I  asked  each  of 
them,  ‘Don’t  you  want  to  do  what  is  in  the  best  interest  for  the  cor¬ 
poration?’  When  it  is  presented  like  that,  no  one  can  argue  against 
the  logic.”  Now,  the  IT  department  is  no  longer  solely  responsible 
for  determining  project  priority.  No  longer  are  the  business  units 


The  Judges 

All  nominees  were  critiqued  by  three  members  of  our  judging  panel 
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Many  of  the  world's  most  successful  organizations  rely  upon  Sterling  Commerce  to  automate  their  business  pro¬ 
cesses,  so  they  can  exchange  critical  information  with  their  trading  partners,  subsidiaries  and  customers.  Reliably. 
Securely.  And  regardless  of  the  application  being  used.  Sterling  Commerce  delivers  the  first  platform  to  meet  all 
the  complex  challenges  of  real-world  multi-enterprise  collaboration.  Find  out  what  so  many  companies  already 
know.  Speak  to  a  Sterling  Commerce  representative  today.  Or  visit  www.sterlingcommerce.com 

BUSINESS  APPLICATIONS  /  BUSINESS  INTEGRATION  /  BUSINESS  INTELLIGENCE  /  BUSINESS  PROCESS  MANAGEMENT  /  SOLUTION  DELIVERY 


sterling  commerce 

An  AT&T  Company 


©2006  Sterling  Commerce,  Inc.  ALL  RIGHTS  RESERVED.  Sterling  Commerce  and  the  Sterling  Commerce  logo  are  trademarks  of  Sterling  Commerce,  Inc.  Sterling  Commerce  is  an  AT&T  company.  FORTUNE  is  a 
registered  mark  of  Time  Inc. 


Ones  to  Watch 


Leadership  Lessons 


competing  to  get  projects  approved.  No  longer  is  the  company 
pursuing  projects  that  don’t  deliver  business  value.  Now  every 
executive  is  accountable. 

But  change  is  a  two-way  street.  Not  only  did  the  business  have 
to  change,  IT  did  too.  The  culture  of  nay-saying  had  to  go.  “The 
guidance  I  give  to  my  staff  is  that  you  don’t  say  no,”  says  Sandberg. 
“When  someone  comes  to  us  and  says,  ‘I  need  this,’  we  say,  ‘That’s 
great.  We’ll  work  on  it.  But  first  come  up  with  the  business  case.’” 

CIO  Tom  Murphy  says  that  Sandberg’s  gentle  forcefulness 
makes  him  a  natural  at  finding  ways  to  lead  others  in  a  new  direc¬ 
tion.  Murphy  credits  Sandberg’s  “ability  to  change  the  way  people 
do  their  jobs  and  keep  them  laughing  at  the  same  time”  as  a  key 
factor  in  his  success  at  effecting  change  within  the  organization. 

“He’s  a  statesman,”  says  Murphy.  “He  just  has  that  innate  capa¬ 
bility  to  be  patient  and  empathetic.  He  shows  how  change  will 
help  you,  and  that  is  what  is  invaluable  because  IT  departments 
are  all  about  change.” 

Tip:  Introducing  change  is  risky.  Support  those  risk  takers  in 
your  department  by  providing  a  safe  harbor  in  which  taking  risks 
is  not  discouraged  and  second-guessing  is  kept  to  a  minimum. 


The  Project  Driver 

Linda  Gilpin,  associate  CIO  for  Enterprise  Services  at  the  IRS, 
calls  Gina  Garza  a  “quadruple  threat”  because  she  excels  at  four  of 
the  five  roles  an  up-and-coming  CIO  must  play.  But  where  Garza 


How  We  Chose 
the  Winners 

To  qualify  for  the  2006  Ones  to  Watch  award,  candidates  had 
to  be  nominated  or  sponsored  by  a  CIO.  A  15-member  panel 
of  working  CIOs  and  the  CIO  Executive  Council  reviewed  and 
rated  the  applications.  Three  CIOs  scored  each  nominee  on 
several  criteria,  including  expertise  in  a  range  of  business  and 
IT  functions,  experience  in  leading  a  large  project  or  conceiv¬ 
ing  a  new  business  product,  and  ability  to  turn  around  a  trou¬ 
bled  project  or  organization.  After  a  final  due-diligence  review 
by  CIO's  editors,  we  chose  the  20  Ones  to  Watch. 

To  select  the  winners  of  the  Ones  to  Watch  Standout 
awards,  the  editors  reviewed  the  applications  and  judging 
scores  of  all  the  finalists  to  determine  which  candidates 
showed  an  outstanding  aptitude  for  business  strategy,  lead¬ 
ing  change,  team-building,  driving  projects  or  innovation. 


really  shines  is  at  delivering  projects,  says  Gilpin.  So  Garza,  the 
IRS’s  deputy  associate  CIO  for  business  integration,  is  the  winner 
of  the  Standout:  Project  Driver  award. 

And  that’s  a  good  thing  for  the  IRS,  now  in  the  midst  of  its 
third  attempt  to  modernize  the  systems  that  manage  tax  forms  for 
200  million  Americans.  Poor  project  management  derailed  a  pre¬ 
vious  modernization  attempt  in  the  late  ’90s,  wasting  more  than 
$3  billion.  But  with  help  from  IT  leaders  such  as  Garza,  the  IRS  “has 
improved  its  2006  filing  season  performance,”  according  to  the  Gov¬ 
ernment  Accountability  Office,  especially  in  electronic  filing  and 
online  tax  assistance.  Garza’s  office  played  an  important  role  in  this 
success  by  developing  services  that  benefited  both  these  programs. 

Garza  honed  her  ability  to  execute  projects  during  time  spent  on 
the  business  side  of  the  IRS.  While  there  she  introduced  the  use  of 
experts  to  work  with  project  managers  on  teasing  out  the  necessary 
requirements  for  projects.  When  Garza  moved  to  IT,  she  took  the 
idea  and  turned  it  into  the  Centers  of  Excellence,  a  stable  of  40  proj¬ 
ect  management  experts  plus  some  outside  contractors  who  each 
focus  on  a  specific  activity  such  as  lifecycle  management  or  cost  esti¬ 
mation.  When  one  of  the  IRS’s  four  tax  divisions  requests  help  with 
a  project,  the  Centers  of  Excellence  can  provide  a  single  expert  or  a 
whole  team,  depending  on  the  need. 

The  natural  tendency  of  project  managers  is  to  not  give  up  con¬ 
trol,  so  “it’s  a  hard  model  to  sell,”  says  Garza.  “But  once  it  is  put  in 
place,  people  like  it  and  word  gets  around.” 

To  establish  the  model’s  credibility,  Garza  turned  to  colleagues 
who  trusted  her  abilities  and  asked  them  to  try  it  in  their  shop.  For 
example,  last  year  she  worked  with  the  project  manager  in  charge  of 
the  third  release  of  the  IRS’s  electronic  tax  filing  project.  Garza  sup¬ 
plied  an  expert  on  cost  estimation  to  make  sure  the  bids  on  the  new 
release,  which  expanded  the  type  of  tax  forms  that  could  be  filed  elec¬ 
tronically,  were  reasonable.  Electronic  filing  has  been  an  IRS  success 
story:  This  past  tax  filing  year,  almost  two-thirds  of  Americans  filed 
their  tax  returns  electronically. 
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How  the  Doughboy  graces  millions  of 
dinner  tables.  Always  in  a  timely  fashion 

Each  day,  Pillsbury  products  and  other  General  Mills  brands  appear  in  millions 
of  shopping  carts  around  the  world.  HP  Integrity  servers  with  Intel1®  Itanium''"  2 
processors  help  keep  distribution  and  inventory  control  systems  running 
smoothly.  "With  their  continuous  performance  and  support,  we  are  able  to 
ensure  that  customer  orders  and  shipments  are  processed  quickly  and 
accurately,”  said  Vandy  Johnson,  Director  of  I.S.  Operations.  "And  that’s 
a  comforting  thought,"  itanium-integrity.com 
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Garza  say  the  keys  to  driving  a  project  are  having 
a  clear  vision  and  goals,  establishing  a  good  team, 
and  utilizing  proven  processes  and  design  solu¬ 
tions.  “You  don’t  learn  it  as  you  go,”  she  adds. 

Tip:  Be  disciplined  in  not  allowing  projects  to 
advance  to  the  next  stage  before  key  components 
are  completed.  But  remember,  flexibility  is  vital. 
Learn  what  is  a  nonnegotiable  item  (like  obtaining 
a  security  certification)  and  what  is  less  important 
(like  a  transition  plan). 


mm 
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The  Team  Builder 

The  state  prison  system  is  the  last  place  you  would 
expect  to  find  someone  to  rebuild  your  IT  team  and 
turn  around  its  sagging  internal  reputation.  But 
that  is  exactly  where  Steve  McDowell,  CIO  at  Holi¬ 
day  Retirement,  found  Deputy  CIO  Tonya  Ruscoe, 
winner  of  the  Standout:  Team  Builder  award. 

Ruscoe  wasn’t  an  inmate.  In  fact,  she  didn’t  even 
possess  the  traditional  IT  technical  skills.  Before 
coming  to  Holiday  a  little  more  than  a  year  ago,  Rus¬ 
coe  was  a  project  manager  in  Oregon’s  Department  of 
Corrections  and  had  scored  a  great  success  in  helping 
the  system  drop  its  three-year  recidivism  rate  from 
33  percent  in  1999  to  29  percent  in  2002.  Her  ability 
to  work  with  the  corrections  system’s  many  internal  and  external 
stakeholders  to  improve  performance  caught  McDowell’s  attention. 
He  called  her  to  discuss  how  team-building  could  help  Holiday’s 
IT  department,  which  had  some  very  talented  managers  who  did 
not  communicate  well.  Such  poor  communication  creates  a  diffi¬ 
cult  environment  in  which  to  support  an  expanding  business.  But 
the  operator  of  retirement  communities  faced  another  challenge: 
Holiday’s  culture  is  a  people-oriented  one  that  downplays  technol¬ 
ogy.  The  CEO  had  a  computer  on  his  desk,  but  rarely  used  it;  the 
COO  did  not  even  have  a  computer. 

McDowell  persuaded  Ruscoe  to  take  on  the  job  of  turning 
around  Holiday’s  IT  department.  After  she  arrived,  Ruscoe  began 
researching  team  relationship  theory  and  used  experiences  from 
her  previous  job  to  develop  a  program  to  teach  the  IT  staff  the  dif¬ 
ference  between  a  group  and  a  team.  The  department  was  filled 
with  talented  workers  who  successfully  built  up  their  respective 
IT  services,  such  as  network  management  and  help  desk  assistance. 
That  model  worked  well  when  Holiday  was 
a  small  company,  but  with  plans  to  grow 
rapidly,  the  company  needed  a  technology 
team  that  could  synchronize  IT  services  and 
improve  communication  with  the  rest  of  the 
company  to  deliver  the  required  business 
value  and  efficiencies  to  compete  in  the  retire¬ 
ment  market. 

Ruscoe  developed  a  yearlong  program 
for  the  IT  staff,  which  included  two  and 
a  half  hours  per  month  in  class  learning 


To  improve  technology  systems 
says  Tonya  Ruscoe,  deputy 
CIO  at  Holiday  Retirement, 

“you  have  to  improve  how 
people  work  together.” 


Washington  Bureau  Chief  Allan  Holmes  can  be 
reached  at  aholmes@cio.com. 


about  teamwork.  Staffers  also  took  personality  tests  and  role- 
played.  Many  companies  offer  similar  exercises  during  retreats 
every  year.  What  made  this  effort  different,  Ruscoe  says,  is  that  the 
lessons  learned  in  the  program  were  applied  during  the  weekly 
staff  meetings.  By  understanding  personality  types,  she  reasoned, 
managers  can  better  understand  how  to  communicate  with  one 
another. 

Ruscoe  now  has  the  IT  department  working  to  improve  internal 
customer  service  and  change  the  company’s  perception  of  technol¬ 
ogy.  IT  has  developed  a  communication  plan  associated  with  every 
service  it  provides  the  company.  For  example,  if  the  help  desk  is 
overwhelmed  with  calls,  the  IT  department  dives  in  and  dissects 
the  problem.  “That  way  we  can  find  out  what  the  problem  really  is 
and  serve  our  customer  better,”  McDowell  says. 

The  IT  department’s  reputation  has  improved  as  a  result  of  the 
changes,  Ruscoe  says.  “It’s  like  anything  with  IT.  It’s  not  based  on 
technology  systems  but  rather  people  systems,”  she  says.  “You 

have  to  improve  how  people  work  together 
to  improve  how  technology  works.” 

Tip:  Foster  personal  development  with 
the  goal  of  improving  communication.  Be 
prepared  to  dedicate  time  and  effort  to  a 
long-term  program  that  uses  on-the-job 
situations  to  reinforce  what  has  been 
learned  in  workshops  and  exercises.  QE1 


Web  Teleconference  on  Team  Building 


Ones  to  Watch  honoree  Tonya  Ruscoe, 
deputy  CIO  at  Holiday  Retirement,  and  her 
CIO,  Steve  McDowell,  will  discuss  HOW  TO 
FOSTER  I.T.  TEAM  BUILDING  in  a  CIO  Execu¬ 
tive  Council  teleconference.  This  event  takes 
place  July  13,  4-5  p.m.  ET,  and  is  open  to  all 
IT  practitioners  from  the  CIO  and  CIO.com 
readership.  Register  at  www.cioexecutive 
council.com/public/teleconferences. 

cio.com 
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10%  IS  BEING  OUTSOURCED. 


80%  IS  OUTSIDE  YOUR  ERP  SYSTEM. 

All  of  which  is  delivering 


0%  BUSINESS  VALUE. 


[  You  Need  Data  Integration] 


- 
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ver  eighty  percent  of  Fortune  100  companies  rely  on 
Informatica  to  solve  their  data  integration  problems.  Our 
open,  platform-neutral  architecture  enables  you  to  solve  the 
most  complex  data  integration  problems.  From  migrating  off 
your  legacy  systems,  to  consolidating  your  • 
software  applications,  to  synchronizing 


data  across  your  databases.  Using  Informatica,  you  can  derive 
the  most  business  value  from  all  your  data. 

With  more  than  2,300  customers  worldwide,  we  have  the 
track  record  to  best  address  your  data  integration  needs.  Call  us 
. •  at  800-653-3871,  or  visit  our  website, 


INFORMATICA*  www.informatica.com/CIO. 

The  Data  Integration  Company™ 


©  2006  Informatica  Corporation.  All  rights  reserved.  Informatica,  the  Informatica  logo,  and  “The  Data  Integration  Company"  are  trademarks  or  registered  trademarks  of  Informatica  Corporation  in  the  U.  S.  and  in  jurisdictions  throughout  the  world. 


Ones  to  Watch  j  Honorees 


Our  20  Ones  to  Watch  honorees  bring 
business  acumen,  technical  skill  and 
passion  to  their  drive  for  leadership 


COMPILED  BY  KATHERINE  WALSH 


Winning  Ways 


»  What  does  it  take  to  be  a  Ones 
to  Watch  winner?  For  a  look 

at  the  ACCOMPLISHMENTS 

of  this  year’s  honorees  and  to 
hear  PODCAST  INTERVIEWS 
in  which  they  discuss  suc¬ 
cess,  failure  and  what  it  takes 
to  lead,  go  to  www.cio.com/ 
awards/otw/2006. 

»  Get  information  about  the 
2007  ONES  TO  WATCH 

awards  and  submit  your  own 
application  at  www.cio.com/ 
awards.  Applications  avail¬ 
able  in  August. 

cio.com 


Simon  Benzekri,  38 
Manager  of  Information 
Services 
Penson  Financial 
Services  Canada 

“IT  has  the  potential  to  regularly 
reward  firms  that  deliver  true 
business  value  from  focused 
innovation." 


Rick  Broughton,  40 
Director,  IT  Strategy 

Dunkin  Brands 

"My  mentors  have  taught  me  that 
it's  not  as  important  to  be  the 
smartest  one  in  the  room  as  it 
is  to  be  capable  of  leading  the 
smartest  ones  into  the  room." 


MattCoose,  36 

Director,  Engineering  and  PMO 

Department  of  Homeland 
Security 

“IT  can  increase  the  efficiency 
and  effectiveness  of  our  efforts 
to  create  a  safe,  secure  and 
prepared  nation." 


Cigdem  Delano,  44 
Deputy  Executive  Director 
Georgia  Technology  Authority 

“My  mentor  taught  me  to  trust 
my  instincts  and  to  stay  attuned 
to  the  details  of  my  business- 
no  matter  my  position. " 


Russell  Douglas,  46 

Director,  Integration  and 
Operations 

Aviall  Services 

"Technology  is  a  paradox. 

The  more  you  learn,  the  less 
you  realize  you  know.  That 
paradox  has  existed  for  me 
since  I've  been  in  computing." 


Michael  Fuqua,  46 
Senior  VP,  Strategic 
Development 

Global  Crossing 

“IT  has  a  direct  impact  on 
the  dynamics  of  a  business 
and  a  bottom-line  impact  on 
operational  efficiencies  and 
revenue  creation." 
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How  can  you  protect  your  network 
and  your  peace  of  mind? 

(We've  got  the  answer.) 

Confidence.  When  it  comes  to  security  information  or  anything  else  in  technology,  CDW  delivers  just  that.  That's  why  we  give 
you  a  trained,  dedicated  account  manager  who  knows  your  technology  setup  and  the  products  we  carry.  So  when  you  call  you 
get  faster,  more  insightful  answers.  That's  also  why  we  have  industry-certified  technology  experts  available.  As  well  as  technical 
support  anytime  you  need  it.  Add  in  access  to  the  industry's  largest  in-stock  inventories  and  fast  delivery,  and  you've  got  a 
technology  resource  that's  a  little  different.  It's  one  you  can  count  on. 
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Ones  to  Watch 


Honorees 


Gina  Garza,  51 
Deputy  Associate  CIO, 
Business  Integration 
IRS 

"When  I  get  to  see  the  business 
transformed  through  IT,  I  know 
that  I’ve  made  things  better  for 
employees  and  our  customers. " 


Dean  Hall,  45 
Project  Management 
Executive 
FBI 

"IT has  the  potential  to  be  used 
for  extreme  good  or  evil.  Our 
duty  is  to  enable  the  former 
and  defend  against  the  latter." 


Tyrone  Howard,  36 
Project  Management 
Office  Manager 

City  of  Chandler,  Ariz. 

“IT  has  an  unlimited  impact 
on  our  lives.  The  exciting 
part  about  it  is  we  have  only 
scratched  the  surface:  business, 
learning,  recreation  and,  just 
as  important,  ideas  and 
imagination." 


iiM. 


Tom  Lindblom,  46 
VP  and  CTO 

CKE  Restaurants 

"I  love  IT  because  we  provide 
tools  and  actionable  informa¬ 
tion  that  enable  outstanding 
customer  service  and  financial 
results." 


Craig  Page,  49 
Senior  VP,  Enterprise 
Data  Center 

First  Data  Corp. 

“People  and  technology  come 
together  through  IT.  Without 
both,  the  future  would  be  bleak; 
together,  the  future  is  very 
bright." 


Alex  Seef  ried,  47 
IT  Program  Director, 

Airborne  Early  Warning  & 
Early  Warning  Systems 
Northrop  Grumman 

"Inspiring  IT  professionals  to 
do  great  things  fulfills  their 
potential,  leading  the  company 
to  reach  its  potential." 


Larry  Markson,  45 
Director  of  Clinical 
Applications 

Beth  Israel  Deaconess 
Medical  Center 

"By  giving  providers  a  level 
of  information  and  decision 
support  that  was  previously 
unimaginable,  IT  can  transform 
patient  care.” 


Jim  Preston,  41 
Deputy  CIO,  BT  Retail 

BT  Group 

"IT  is  dynamic,  challenging  and 
has  the  power  to  engender  true 
teamwork  across  an  entire 
business  to  deliver  customer 
success." 


Ajay  Waghray,  44 

Vice  President 

Verizon  Wireless 


"Technology  presents  constant 
opportunities  to  enable 
new  products  and  services, 
simplify  business  operations 
and  enhance  the  customer's 
experience." 


Chase  McCarthy,  43 
Manager,  Group  Internal 
Information  Systems,  Madrid 

Amadeus  IT  Group  SA 

“IT  has  the  potential  to  change 
tomorrow." 


Pablo  Molina,  37 
Campus  CIO 

Georgetown  University 
Law  Center 

"Technology  can  reduce  the 
digital  divide  among  educational 
institutions  and  students  in 
different  parts  of  the  world. " 


Tonya  Ruscoe,  41 
Deputy  CIO 

Holiday  Retirement  Corp. 

“My  mentor  taught  me  to  care 
deeply  about  what  you  do,  but 
don't  get  so  invested  that  you 
lose  sight  of  the  bigger  picture. " 


Perry  Sandberg,  44 
VP,  Portfolio  &  Program 
Management 

AmerisourceBergen 

"IT  has  the  potential  to  impede 
or  enable  the  business  vision. 
Ensuring  alignment  is  essential 
to  success  for  both." 


Robert  Worrall,  45 
VP,  IT  Governance, 

Acting  VP  Strategy  and 
Architecture 

Sun  Microsystems 

“My  mentor  taught  me  that 
technology  alone  isn't  the 
answer.  The  power  of  IT  lies 
in  how  technology  is  properly 
applied  to  solve  business 
problems." 
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IN  EVENT  OF  EMERGENCY 


Trade  Show 
Survival  Guide 


The  negotiation  booth  has  no  windows 

and  just  one  door.  Typically,  the  sales 
guy  is  blocking  the  door. 


2  In  the  event  of  a  hardsell,  unhook  the 
strap  on  your  promotional  laptop  case 

to  use  as  a  grappling  hook. 


3  The  booth  will  have 


bag  to  rappel  over  nearest  available 
exterior  wall. 


1  On  crowded  shuttle  buses, 


slip  the 
spot  to  swing  by  your 


2  Do  not,  under  any  circumstances, < 
next  to  the  woman  wearing  the  butl 
that  says  “Ask  Me  How  SnazzSoft  3 
Delivers  500%  ROI." 


driver  a  ten 
hotel  first. 


Your  name  tag  may  identify 

you  as  a  deep-pocketed  buyer. 

(Look  for  the  holographic  dol¬ 
lar  sign  next  to  your  title.) 


The  8  a.m.  keynote  address.  If  you 
arrive  without  caffeine,  emergenc 
lighting  in  the  aisles  will  guide  you 

to  the  nearest  Starbucks. 


Pack  the  37  pounds  of  product  bro 

chures  you’ve  collected  into  a  box 
and  FedEx  them  to  someone  who 
has  wronged  you. 


2  If  so,  swap  it  with 


a  consultant. 
This  will  allow  you  to  go  any¬ 
where  freely,  as  no  vendor  wants 
to  waste  time  with  a  consultant. 


Please  keep  this  card  in  your  inner 


suit  jacket  pocket  for  quick  reference  during  an  actua, 
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ILLUSTRATION  BY  MATTHEW  GOEBEL 


A  partner 

to  design  and  manage 
your  global  network 
end-to-end. 


that  works 


Introducing  Verizon  Business 

Whether  your  network  extends  across  the  country  or  around  the  globe, 
you  can  rely  on  Verizon  Business  to  help  design  and  manage  it  more 
efficiently.  Our  people  have  the  resources  to  deliver  a  far-reaching 
global  IP  network,  the  expertise  to  create  solutions  that  work  for 
your  business,  and  the  dedication  to  be  there  when  you  need  them. 


Veri70nbusiness 

We  never  stop  working  for  you. 


Global  capability  with  personal  accountability,  verizonbusiness.com 


NO  VIRUSES. 

NO  SPAM. 

NO  DOWNTIME. 
EMAIL  DONE  RIGHT. 


No  one  can  promise  complete  email  security  and  availability.  We  don’t  live  in  that  kind  of  world. 
Yet  one  company  has  earned  a  worldwide  reputation  for  making  email  as  secure  and  available  as 
it  is  important.  A  company  that  not  only  screens  out  viruses,  spam  and  spyware,  but  also  provides 
solutions  for  speedy  recovery  in  case  of  system  failure.  A  company  that  reduces  storage  costs 
by  archiving  to  secondary  storage  and  blocking  unwanted  emails.  A  company  that  provides 
management  tools  for  efficient  email  retention  and  fast  email  discovery.  A  company  that  does 
email  right.  Symantec.  Because  we  know  it’s  not  just  email,  it’s  your  business.  For  more 
information  visit  www.symantec.com/esa  or  call  800-745-6054  BE  FEARLESS. 


Symantec. 
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